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ABSTRACT 


In this study, we investigated an algebraic-type attack, known as the cube 
attack, against wireless networks. We implemented the cube attack in a wireless 
system, namely Bluetooth. We formally modeled the encryption function of EO 
Bluetooth key generator and automated the process of the cube attack on EO of 
the factorization process (preprocessing phase). In this phase, an attacker finds 
as many maxterms (a term of the encryption function such that its co-factor is a 
linear nonconstant polynomial) as possible. In the actual attacking phase, the 
attacker solves the system of linear equations through a chosen plaintext attack 
and reveals useful information about the cryptosystem. The number of operations 
needed in the computational process is 27''and is considerably less than that of 
similar algebraic types of attacks, but it is limited to the output of the LFSRs at 
any clock cycle. The results of our analysis indicate that if an attacker is an 
unauthorized participant of the security protocol, then by manipulating some of 
the output bits of the LFSRs of two arbitrary clock cycles and intercepting the 
output bits of the entire machine the attacker then succeeds in finding the output 
bits of the LFSRs at any clock tick. 
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EXECUTIVE SUMMARY 


In this study, we investigated an algebraic-type attack, known as the cube 
attack, against wireless networks. We implemented the cube attack in a wireless 
system, namely Bluetooth. We formally modeled the encryption function of the 
EO Bluetooth key generator and automated the process of the cube attack on EO 
of the factorization process (preprocessing phase). In this phase, an attacker 
finds as many maxterms (a term of the encryption function such that its co-factor 
is a linear nonconstant polynomial) as possible. In the actual attacking phase, the 
attacker solves the system of linear equations through a chosen plaintext attack 
and reveals useful information about the cryptosystem. The number of operations 
needed in the computational process is 27'and is considerably less than that of 
similar algebraic types of attacks, but it is limited to the output of the LFSRs at 
any clock cycle. The main contribution of this thesis is that if the attacker is an 
unauthorized participant of the security protocol, then by manipulating some of 
the output bits of the LFSRs of two arbitrary clock cycles and intercepting the 
output bits of the entire machine the attacker then succeeds in finding the output 
bits of the LFSRs at any clock tick. The most important question that needs to be 
answered next is how one can recover the encryption key of EO after knowing the 


output bits of every LFSR at any clock that this study provides. 


Building on these results, the next stage of the research is to validate our 
integration of the cube-type attack into the Bluetooth encryption protocol. As 
demonstrated in this and other research we cited in this thesis, one needs to 
understand and formally evaluate the strength of a given cryptosystem, be able 
to evaluate its implementation to ensure that there are no flaws at that stage. The 
cryptosystem and the protocol it uses may be good but if poorly implemented will 


most likely be untrustworthy. 
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I. INTRODUCTION 


A. MOTIVATION 


Nowadays, there is great interest from the United States Department of 
Defense to move from wired communication systems to wireless systems. How 
to secure wireless cryptosystems, which are known to have suffered malicious 
attacks, is a question this thesis is attempting to answer. Sun-Tzu stated (400— 
320 BC, translated Giles, 1910) “If you know the enemy and know yourself, you 
need not fear the result of a hundred battles.” As in that saying, there is a need to 
see and understand the mathematical theory hidden in modern types of attacks, 
and know how effective they are compared to the traditional exhaustive key 
searches in wireless security protocols (e.g., Bluetooth, Wi-Fi, Wi-Max). 
Bluetooth is a_ well-established wireless communications standard (IEEE 
802.15.1) between different devices (e.g., personal computers, laptops, mobile 
phones) that operates over a short range and at low power. For efficiency 
reasons, such as speed, size and power consumption, the system uses a stream 
cipher encryption (EO) instead of the widely-used block ciphers. Four linear 
feedback shift registers! (LFSRs) are used in the algorithm, and a nonlinear 
Boolean function combines their output. The plaintext is then combined with the 
output key stream using an exclusive OR (XOR) producing the ciphertext. Wired 
Equivalency Privacy (WEP) IEEE 802.11 is another security protocol for Wi-Fi 
networks. It provides authentication and encryption. The key component of this 
protocol is the commonly used stream cipher RC4. IEEE 802.11, which has 
questionable functionality due to the wireless packet network structure, provides 
relatively weak encryption and a single-way authentication, and has no key- 


distribution mechanisms. IEEE 802.11i updated the previous protocol and 


1 In digital circuits, a shift register is a type of sequential logic circuit mainly for storage of 
digital data, set up in a linear fashion, which has its inputs connected to the outputs in such a way 
that the data shifts down the line when the circuit activates. A linear feedback shift register is a 
shift register whose input bit is the output of a linear function of two or more of its previous states 
(from [23], p.19). 
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underwent final ratification, providing much stronger forms of encryption, an 
extensible set of authentication mechanisms, and key distribution capabilities. It 
includes an Advanced Encryption Standard (AES) - based encryption scheme. 
World Interoperability for Microwave Access (Wi-Max) is a family of IEEE 802.16 
standards that aims to deliver wireless data to a large number of users over a 
wide area at rates that rival those of cable modems. There are two schemes for 
data encryption supported in the 802.16 standard, the Advanced Encryption 
Standard (AES) and Triple Data Encryption Standard (3DES). Both of these 
schemes are block ciphers that operate on one block or chunk of data at a time, 
whereas stream ciphers can act on a single bit. AES handles a 128-bit block of 
data at a time, and has been shown to be very fast and easy to implement. 

This thesis will investigate from a theoretical perspective the effectiveness 
of several promising attacks against linear shift feedback registers (LSFRs)- 
based ciphers, precisely we will look at correlation, algebraic, and cube attacks 
implemented in Bluetooth encryption (128-bit key size). 

Correlation attacks deal with distinguishing and recovering keys against 
mainly stream ciphers. That means that there is a statistically biased relation 
between the produced keystream and the output of certain LFSR sequences. 
Using the notion of correlation, there is a direct relation between the output state 
of an individual LFSR in the keystream generator and the output of the Boolean 
function that combines the output state of all LFSRs. Therefore, partial 
knowledge of the keystream (derived from the partial knowledge of the plaintext) 
is needed. In 2004, Lu and Vaudenay used a correlation attack and implemented 
it on an EO Bluetooth keystream generator by applying a novel maximum 
decoding algorithm based on the Walsh transform (a feature of the Boolean 


functions), and succeeded in having key recovery of 2” operations after 


2°’ operations for precomputation [1]. One year later, Lu, Meier and Vaudenay 
proposed the use of conditional correlation attacks. The term “conditional 
correlation” describes the linear correlation of the inputs conditioned on a given 


sort output pattern of a nonlinear function with small input size. Their attack 
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implemented in output of the same key generator EO of Bluetooth and disclosed 


the encrypted key in 2* operations using the first 24 bits of 2° frames, thus 
improving the previous results of two of them [2]. One can also use algebraic 
attacks against LFSR-based stream ciphers. Algebraic attacks consist of 
expressing the whole cipher as a large system of multivariate algebraic equations 
that can be solved to recover the secret key. The unknowns in these equations 
occasionally represent the bits of the secret key. A major parameter that 
influences the complexity of such attacks is the degree of the underlying 
algebraic system. When the transition is linear, any keystream bit can be 
expressed as a function of degree deg(f) in the initial state bits. However, 
despite the high degree of the filtering Boolean function that is used in the 
keystream generator, such an attack can be applied as soon as there are 
relations of low degree between the output and the inputs of the Boolean 
function. Armknecht proposed a scheme that solved the EO cryptosystem in 


2”*' operations [3]. 

Dinur and Shamir described a type of algebraic attack called the cube 
attack [4]. The active assault on a cryptosystem requires the attacker to extract 
useful information from the bit stream. By skillfully choosing some publicly 
settable bits, the attacker may be able to replace the polynomial that represents 
the encryption function by a system of linear equations. Shamir and Dinur used 
this approach on the Trivium cipher and recovered the encryption key in 2” bit 
operations, which is the best result in the literature so far. Zhang et al. extended 
Shamir and Dinur’s approach to other polynomials f from where they could find 
a lower degree polynomial g , so that the product fg also has a lower degree. 
They applied this attack on the Toyocrypt cipher with re-synchronization, 
breaking the stream cipher in a few milliseconds on an ordinary PC [5]. 

All of the above-mentioned attacks are based on the cryptographic 
features of Boolean functions that have been an object of study in modern 
cryptography for about the last thirty-five years. 


B. THESIS OUTLINE 


The thesis consists of seven chapters. In Chapter I, the author gives a 
general outline of the work, describes the motivation for this research, and 
defines the problem that will be investigated. In Chapter II, the author describes 
the mathematical background necessary for the reader to understand the 
material that follows, the tools the author will use (Boolean functions, security 
protocol of EO, etc.), and the basic definitions of cryptosystems and wireless 
security. In Chapter III, the author examines the correlation and algebraic attacks 
and their theoretical background. In Chapter IV, the author details the cube 
attack concept and, in Chapter V, he models the Bluetooth keystream generator 
EO. In Chapter VI, the author details the tool he created in order to automate the 
cube attack and analyzes the results. The author ends this thesis with the 


conclusions reached from the research and provides future recommendations. 


C. THE PROBLEM 


In recent years, there has been great interest from the Department of 
Defense on_ substituting ground-wired networks (LANs) with short-range 
(Bluetooth) or medium-range (Wi-Fi) wireless networks. Several types of attacks 
have been successful at defeating the cryptosystems used by IEEE 802.11 and 
802.16 technologies, leading one to ask the question: how much trust should we 


place in the wireless encryption protocols? 


D. ACCOMPLISHMENTS OF THIS STUDY 


We formally modeled the encryption function of EO Bluetooth key 
generator and automated the factorization process (preprocessing phase) of 
cube attack on EO. We applied the cube-type attack and reduced the search 
space for the output of the LFSRs of EO, a hard task since Bluetooth EO uses a 
more complex encryption algorithm than the ciphers implemented so far. The 
main contribution of this thesis is that under the assumption that the attacker is 
an unauthorized participant of the security protocol, then by manipulating some 


of the output bits of the LFSRs of two arbitrary clock cycles and intercepting the 
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output bits of the entire encryption machine the attacker then succeeds in 
revealing the output bits of the LFSRs at any clock cycle. 
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ll. BACKGROUND 


A. COMPUTER SCIENCE 
1. Security Protocol 


Definition 2.1: “A security protocol is a sequence of messages 
between two or more parties in which encryption is used to provide 
authentication or to distribute cryptographic keys for new 
conversations.” [6] 


The majority of the security protocols in computer networks are based on 
cryptography, which is why they are also called cryptographic protocols. In order 
to establish a secure communication there are a sequence of steps the 
participating parties must perform. These steps include the transmission of a 
message, possibly encrypted, participating names, cryptographic keys, random 
numbers, timestamps, ciphertexts and concatenation of these components. A 
security protocol aims to achieve certain goals upon its completion, like verifying 
the authenticity of the sender, ensuring the integrity of the transmitted message, 
protecting the confidentiality of the header and contents of the message, and 
providing for nonrepudiation. A security protocol is said to be flawed if it fails to 
achieve its claimed goals [7]. 


2. Wireless Security 


Security is an important concern in wireless networks because the radio 
frequency (RF) transmissions can be monitored by malicious people. A 
cryptosystem is a system used to encrypt a plaintext into ciphertext and at the 
other end to decrypt a ciphertext into plaintext. The cryptosystem is also used to 
ensure the four main goals of information security: confidentiality, integrity, 


authenticity and norepudiation. 


3. Cryptosystem 


Definition 2.2: “A cryptosystem is a five-tuple (P,C, K, FE, D), where 
the following conditions are satisfied: 
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1. Pis a finite set of possible plaintexts. 
2. Cis a finite set of possible ciphertexts. 
3. Kis the keyspace, which is a finite set of possible keys. 


4. For each keK (i.e., for each bit that belongs to the 
keyspace), there is an encryption rule e, «E and a corresponding 


decryption rule d, <¢ D. Each e, :P—+ Cand d, :C > Pare functions 
such that d, (e,(x)) =x for every plaintext element x € P.” [8] 


The main property of all the above is the fourth property, where if a 
plaintext x is encrypted using an encryption key e,, the resulting ciphertext will 


be decrypted using a decryption key d, , revealing the original plaintext x. 


For our work, we choose P=C=Z’ where m is the length of the plaintext 
to be enciphered and Z,is the set of remainders when dividing integers by 2. 
Thus, Z,has two elements {0,1} and is called the set of integers modulo 2. 


Z,[X | is the set of polynomials whose coefficients are integers modulo 2. 


4. Wireless Threats 


In common terms, a hacker is a person who legally or illegally gains 
access to a computer system to make changes to the system or to reveal 
security flaws [9, p. 379]. 


We consider three types of hackers. The whitehat hacker is a person that 
is hired from a company to find the flaws in a computer system. A blackhat 
hacker is a person who illegally accesses a computer system. There are also 
greyhat hackers, namely something in the middle, persons who access a 
computer system without authorization to make changes mostly for publicity 
purposes and to gain popularity [9, p. 393]. 


Some common types of attacks on wireless systems are discussed below 
[10]. In traffic analysis or passive eavesdropping, an adversary intercepts the 
traffic in a wireless local area network (WLAN). Active eavesdropping occurs 
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when the adversary inserts a message into the network, and from the response 
of the system derives useful information about the system such as response 
time. There is also message deletion on a network, which implies full control of 
the network by the attacker. Next is session hijacking, where the adversary might 
hijack a valid session and put authentication between legitimate users in dispute. 
There is also the man-in-the-middle attack, where the adversary must participate 
in the communication between the target parties. Before this happens, the 
adversary spoofs the authentication process of both parties and then breaks the 
connection between the two parties. The adversary pretends that he is the 
legitimate one of the two associated users. 


The Diffie-Hellman algorithm is vulnerable to the man-in-the-middle-attack, 
because no authentication occurs before the two parties exchange the secret 
keys [11]. Finally, denial-of-service (DoS) attacks have as a goal to deny the 
services that the target system provides. Denial-of-service (DoS) attacks may be 
launched over the Internet to target routers, servers, and firewalls. This makes 
them rapidly use all of their resources and unable to provide further services. 
There are policies and enforcement mechanisms that can be put in place to 
guard against such attacks, but consideration of these is outside the scope of this 
thesis. 


From a cryptanalysis point of view, the most common models of attack are 


as follows: 

1. Ciphertext-only attack: The adversary possesses a ciphertext, 
possibly by intercepting traffic. 

2. Known-plaintext attack: The adversary possesses a plaintext and 


its corresponding ciphertext. 


3. Chosen-plaintext attack: The adversary has access to the 
encryption cipher and he can choose a plaintext and construct the corresponding 


ciphertext, and he can repeat this process as many times as he likes. 


4. Chosen-ciphertext attack: The adversary has access to the 
decryption cipher and he can choose a ciphertext and construct the 
corresponding plaintext, and he can repeat this process as many times as he 


likes. 


Here, the goal of the adversary is to determine the secret key that has 
been used by the cipher. Correlation, algebraic and cube attacks, the foundations 


of our results, are detailed in the following chapters. 


B. MATHEMATICAL THEORY 


The attack we have developed is based on several mathematical 
concepts. Below we provide a description of these. We assume that the reader 
has some familiarity with the concepts from Abstract Algebra and Boolean 


functions. 


At a very high level, a Boolean function outputs a single bit result (0 or 1) 
for each possible combination of values from many Boolean variables. The 
algebraic environment of Boolean functions is a vector space (defined below) of 
dimension n over the binary field. The Boolean output consists of the bit values 
{0,1}, with “XOR” as addition and “AND” as multiplication. 


Ay Vector Space 


A field is a set endowed with two operations, satisfying a plethora of 











conditions. We will use mostly the binary field IF, whose addition and 





multiplication operations are defined as follows: 
080=0 
061=160=1 
161=0 
0-0=0 
1-0=0-1=0 
1-1=1 
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Definition 2.3: Let F be an algebraic field. A vector space over F (or F - 
vector space) consists of an abelian (commutative) group V under addition 


together with an operation of scalar multiplication of each element of Vv by 











each element of Fon the left, such that for all a,beéFand a,f«V the 





following conditions are satisfied: 
. aaeV. 


7 a(ba) =(ab)a. 


7 (a+b)a =(aa)+(ba). 
7 a(a+ B)=(aa)+(ap). 
= la=a. 


The elements of V are vectors and the elements of the algebraic field 
F are scalars. When only one field F is under discussion, the reference to Fis 


dropped and instead refers to a vector space [12]. Specifically, let V, be the 











vector space of dimension n over the two-element field IF, . For two vectors in V,, 





say a=(a,..,a,) and b=(b,...,b,), the scalar product is defined as 














a-b=ab,®...®a,b 


non? 


where the multiplication and the addition © are over F, 


(This operation should not be confused with the direct product of vector spaces). 


The operation * on vectors is defined by a*b=(aJ,,...,a,b,)- 


n-times 


yt n 


When one is dealing with the vector space V, = IF’ (where FY =F, xF, x...xF, 
































represents the set of all n-tuples of 0’s and 1’s) then the following operations 
apply: 
= Addition 
(V,5V_1V35++059V,) BD (W,,Wos W355 W,) = (V, BW,,V, 0, v; O W,,....V, Bw,) 
« Multiplication 
= Scalar Multiplication 
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(V,5V95V35-009V,)° (Wi, W25W35---5W,) = VW, OVW, Ov,w, O...Ov_w, 
« Vector Intersection 


(V,5V95V35-009V,,) *(W,, Was W35-00) W,) = (VW, V>W5V3W3 5-05 V,,W,,) 


es eG} 


2. Vector Space and Correspondence of the Finite Field 


In abstract algebra, a finite field is any field with a finite number of 
elements. For every prime p and positive integer n there is exactly one finite field 


(up to isomorphism) of order p”. The field GF(2") is usually referred as the 


Galois field of order 2” [12, p. 300]. 


Definition 2.4: A polynomial is primitive if it is the minimal polynomial of a 
primitive element of the finite extension field GF(p"). In other words, a 


polynomial P(X), with coefficients in GF(p)=Z/pZ, is a primitive 
polynomial, if it has a root a in GF(p") such that {0,1,4,a",a°,...,a” | is 
the entire field GF(p") and P(X) is the smallest degree polynomial 
having a as root in GF(p"). 


Any finite field of dimension n over GF(p) can be constructed by taking a 


primitive polynomial p which is of degree n (p is primitive and deg P(X) =n). 





For the Galois field GF(2) we have the correspondence GF (2") =F: 














FLX ] 
<P> 

















GF(2") = ={a, +a,X +..44,,X""h a, eF,. 





Given such a representation of GF(2")by a polynomial P, to every element 


a, +a,X +...+4,,X"' we associate the vector (a,,a,,....a,,)<€F =V,. 


This does not mean that both structures are the same; rather, it means that there 


is a bijective correspondence between those two structures. 
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Example 2.5: 














Assume one is working in GF(2°), thus GF (2°) == = {0.1.0} : 
<P> 


One has to use a primitive polynomial of degree 3, say p=x°+x+41. 


























GF (2°) V; 
0 000 
l=a° 001 
a 010 
a’ 100 
a’ =at1(1) 011=010+001 
eee | 111=100+010+001 
a’ =1 001 














Table 1. | Correspondence between Finite Fields and Vector Spaces 
Observations: 
(1)a°+a+1=0=>a* =a+1 since a is a primitive element. 


(2) a* =a(a*)=a(a+1)=a’ +a; continue in that fashion up to the element where 


there is repetition (a’). 
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3. Boolean Function 


Definition 2.6: A Boolean function f inn variables is a map from a vector 
space V, of dimension n over F, to the two-element field F,. The (0,1) 
sequence generated by the Boolean function f is defined by 
(FV) FU) FU p_)) and is called the truth table of f, where 
Vy = (0,...,0,0),v, = (0,...,0,D,...V,,_, =(L-..1,1), ordered lexicographical. The 














(1,-1) sequence of f is defined as ((-1)',(-l)/,...,.(-D"”) . 


Any function that is defined in a vector space over a finite field, in particular in 











"is in fact a polynomial [13]. The idea is that if one defines a function that takes 





any vector into an output, then by taking the degree of the polynomial high 
enough, one can find appropriate coefficients so that particular polynomial will 


match the dataset. 


“A Boolean function on V, can be expressed as a polynomial in 











PB [Xys-5X,]/ (47 —X,5-5%,° —x,); the algebraic normal form (ANF) is 





n 














f(oy= prone x", Where c,¢F,and a=(a,...,a,). Moreover,c, 2.) 


aeV,, x<a 


where x <ameans that x, <a,for all 1<i<n.The algebra of all Boolean functions 


on V, will be called B,, ”[13, pp. 5-6]. 


The simplest Boolean functions are the constant functions O and 1. 


Example 2.7: 


Assume n=3, thus working on V,. 





Let f:V; 9B: f(%,%»,x;)=x,x,@x, be the Algebraic Normal Form (ANF) of a 











Boolean function f. 
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Labeling 


V; J 
(Lexicographical Order) 


X3X4X) 


of values: 





000 





001 





010 





011 





100 





1 


101 


10 





1 
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Table 2. Truth Table of f 


Thus, the Boolean function has the following truth table (Table 2): f =00011110. 


One can infer the ANF of f having the sequence of bits of that Boolean function 


and vice versa. 


Definition 2.8: An affine function 1, .on V, is a function that takes the 


form: 1, (x) =a-x®c=ax,©...8a,x, Oc, 








where a=(d,,d,,....a,) €V,,c él 


[13, p. 6]. 





F,. If c=0, then 1, ,(=1,) Is a linear function 


Definition 2.9: Let A be a set. If there are exactly n distinct elements in 


A where n Is a nonnegative integer, we say that A is a finite set and n is 


the cardinality of A. The cardinality of A is denoted by |A| [14]. 


Lemma 2.10: The number of all affine functions in n variables is |A,|=2""'. 


ike: 


Proof: By definition, an affine function depends on n+1 parameters 


d,,d,,...,a,,¢ each of which taking values {0,1}. Therefore, the number of such 


n? 


choices is 2”' The set of all affine functions is a small class of Boolean 


functions. 


Additionally, one should note that the set of all linear functions L, has Hes ae 
since c=0. 
|_| 
Lemma 2.11: The number of all Boolean functions in n variables is 


B|\=2?. 


n 








Proof: By definition, a Boolean function fis a mapping: f:X""" oY”. 


Since the cardinality of the set for all linear functions is 2”, the following assertion 
holds for all functions: 


| functions| = Iv" =2” and so |B, |= sae 


Example 2.12: 


For n=4, the number of Boolean functions is 27 =2'°. For n=6, the 


number of Boolean functions is 27 =2. As can be seen from these examples, 
the class of Boolean functions becomes extremely large. From a cryptographic 
point of view, one wants to count the elements of such a set because if the set is 
small, then one can implement an exhaustive approach and do whatever 


analysis one wants to do. 


4. Hamming Weight and Distance 


In coding theory, the Hamming distance between (two) bit strings of the 
same size is the number of bits where they differ. The Hamming distance is a 
metric and represents the minimum number of necessary substitutions to 


transform a bit string into another. 
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For example, if f =101001101 and g =011011100, then their Hamming distance 
is d(f,g)=4. The Hamming weight of the string is the number of 1’s it has, its 


distance from the O0-vector. Thus, in the previous example wr(f) =5,wt(g)=5. 


The Hamming weight of a Boolean function f is the number of 1’s in the truth 
table of f . More formally: 
Definition 2.13: The Hamming weight of a vector xeV,, denoted by 
wt(x), is the number of 1’s in the vector x. For a Boolean function on V.,, 
let Q,={xeV,: f(x) =1}be the support of f. The Hamming weight of a 
function f is the Hamming weight of its truth table, that is the cardinality of 
f'()or equivalently wt( f) =| ,|-The Hamming distance between two 


functions f,g:V, > F,, denoted by d(f,g)is defined as: 
d(f,g)=wt(f ® g) 


5. Walsh Transform 


The Walsh or Handamard transform is a type of discrete Fourier transform 
of a Boolean function. Using the Walsh transform, correlations in combining 


functions may be identified. 


Definition 2.14: “The Walsh transform of a function f on a vector space 
V,of dimension n over F, (with the values of f taken to be real numbers 


0 and 1) is the map W(f):V, > R, defined by 


Wf) = FD” (2.1) 


xeV, 
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This defines the coefficients of f with respect to the orthogonal basis of 
the group charactersQ,(x)=(-l)""; f can be recovered by the inverse Walsh 
transform: 


f(x =2" PWD" (2.2) 


xeV, 


The Walsh spectrum of f is the list of 2" Walsh coefficients given by (2.1) 


as w varies” [13, p. 8]. 
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lil. CORRELATION AND ALGEBRAIC ATTACKS 


A. INTRODUCTION 


In recent years where communication, computer-based systems have 
been commonly used in both commercial and military environments, stream 
ciphers remain dominant since a stream cipher provides speed to the encryption 
process and allows synchronization between data and voice in broadband 
channels. Short-range (Bluetooth) and medium-range (Wi-Fi) wireless networks 
use stream ciphers to provide authentication and data encryption between a host 
and wireless access points. Bluetooth uses an EO stream cipher and WEP uses 
RC4 stream cipher that provides weak encryption. Wi-Fi uses the IEEE 802.11i 
(Wide Protected Access 2- WPAZ2) protocol for encryption. WPA2 uses the block 
cipher advanced encryption standard (AES). World interoperability for microwave 
access (Wi-Max) is an IEEE 802.16 standard that aims to deliver wireless data 
fast and over a long range. Wi-Max uses a combination of AES and 3DES (data 
encryption standard). In this chapter, we present the foundations of correlation 
and algebraic attacks. We review the basic features of these attacks and discuss 
the results of the implementation of these attacks on stream ciphers used in a 


wireless environment such as Bluetooth. 


B. PROPERTIES OF BOOLEAN FUNCTIONS 


The Boolean functions are polynomials of n variables and bit output, are 
used in several cryptographic applications in wireless systems and must satisfy 
several cryptographic criteria. Although the quality of these properties depends 
on the specific cryptosystem that is implemented, the properties that a Boolean 
function must focus on are balance, nonlinearity, correlation immunity, and high 


algebraic degree, just to mention a few. 
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1. Balance of Boolean Functions 


A Boolean function is balanced if its output is equally distributed, which 


means that its Hamming weight is2”", where rn is the number of variables. 


2. Nonlinearity 
The nonlinearity of a Boolean function f, N,, is defined as the minimum 
Hamming distance between the function itself and every single function that 


belongs to the set of the affine Boolean functions. Thus, 


N, Tana, 2); 
where A, is the class of all affine functions on vector space V, [13, p. 7]. 


3. Correlation and Algebraic Immunity 


A Boolean function f has correlation immunity of order k if its values are 


statistically independent of any subset of k input variables. Correlation is a useful 
concept in cryptanalysis, because it may reveal to an attacker how an encryption 


function f behaves if one slightly changes the input. Furthermore, a Boolean 


function with low-order degree of correlation immunity is more susceptible to 
attacks on the system than a Boolean function of high-order degree with 
correlation immunity. Siegenthaler in [15] showed that a high-algebraic degree 
will restrict the maximum possible correlation immunity when the correlation 


immunity k of a Boolean function f of degree d and n variables for a given set of 


input variables satisfies the relation k+d <n. 


Definition 3.1: An annihilator of a polynomial f is a nonzero polynomial 


g, such that fg =0. 


The above definition motivates the concept of algebraic immunity A/(f)of a 


Boolean function f of degree d and of n variables. AJ(f)is the least value of 
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d such that either f or f®lhas an annihilator of degree d. In other words, 
given f and g of minimum degree d, such that fg =0 or (f ®l)g =0, then the 


algebraic immunity is d. 
Example 3.2: 


Assume f(%,,%5,%3,%,) =%,X,X3X, ANd g(%,,xX,,%;,%,) =x, Ox, Ox, Ox,, then 





IS = X,X_X3Xq O HAYAGAy O HXQXGX, DXA} XjX, =O, SINCE xX =H GY =HGH =H AYA = Ay 


Notice that f is of degree 4 with four variables whereas g is of degree 1. 


C. CORRELATION ATTACKS 


Correlation and fast or conditional correlation attacks [1], [2] use a biased 
relation between keystream and certain LFSR output sequences that have to be 
found. A correlation attack is a probabilistic approach of attacking. When an 
attacker has access to the output of the LFSRs of a cipher of a cryptosystem and 
the output of a Boolean function that combines the outputs of all the LFSRs, then 
he may find the initial values of the LFSRs by simply guessing the initial values. 


The following example illustrates the correlation attack process. 
Example 3.3: 


Suppose that a keystream generator consists of three LFSRs, say x,y,z, 
of lengths three, four, and five respectively. Assume that the combiner Boolean 


function is of the form: 
f(x,y, Z) = xy B yz z 
Then, the initial value of the key must be 12 = 3+4+5 bits long. 


Suppose that the initial values of the LFSRs are x=011, y=0101,z=11100, and 


for bits i =0,1,2,...23 the following evaluations hold: 
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x, = 011100101110010111001011 
y, =010110010001111010110010 
z, =111000110111010100001001 
k, =111100100110010110001011 


where k,is the keystream. 


The truth table of the combined Boolean function f is of the following form: 


























x y z f 
0 0 0 0 
0 0 1 1 
0 1 0 0 
0 1 1 0 
1 0 0 0 
1 0 1 1 
1 1 0 1 
1 1 1 1 




















where f =01000111. 

By comparing the columns of variables x, y with f one can easily observe that 
f(x, y,z)=xwith probability P(f=x)=3/4 and f(x,y,z)=z with probability 
P(f =z)=3/4. Assume that the attacker has access to the following keystream 


table: 


k, =111100100110010110001011 


The attacker is trying to find the initial values of the LFSRs and he guesses that 


x=111, and he then generates the first 24 bits of xand compares it to k, as 


follows: 
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x, =111001011100101110010111 
k, =111100100110010110001011 


Comparison of the two shows that only 12 out of 24 bits match exactly, so the 
question is this: can an attacker make a better guess? If the attacker guesses 


x=011 and he then generates the first 24 bits of x and compares it to k,, he will 


find 21 out of 24 bits, which is a better match, so the attacker has found the initial 


values of x as seen below: 


x, = 011100101110010111001011 
k, =111100100110010110001011 


If the n LFSRs have lengths n,,7,,...,.,,, then the correlation attack needs 


fbn) 
21 42"74...42"- effort, which is much less than the work required for the 


+..4n, 4-1 


exhaustive key search that is 2°" 


The main derivatives of correlation attacks are fast correlation attacks and 
conditional correlation attacks. Lu and Vaudenay [1] in 2004 introduced a fast 
correlation attack and implemented it in a Bluetooth EO keystream generator 
(Chapter V details an EO keystream generator). Despite the fact that correlations 
of EO have been discussed but only for a short sequence of bits, Lu and 
Vaudenay formulated a powerful computation method of correlations using a 
recursive expression based on the maximum likelihood decoding (MLD) 
algorithm by means of a fast Walsh transform (FWT). In order for their attack to 


succeed, they built a distinguisher for EO based on the largest bias they found. 


Their best result, as it concerns EO, is limited to 2” operations for precomputation 
and 2” operations for the actual keysearch. 


The conditional correlation attack takes advantage of the linear correlation 
of the inputs conditioned on a known output pattern of a particular nonlinear 
function and was proposed by Lu, Meier and Vaudenay in 2005. The best result 
that they obtained on a Bluetooth EO keystream generator was in 2* operations 


required the first 24 bits of 2”* frames [2]. 
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D. ALGEBRAIC ATTACKS 


At a very high level, algebraic attacks on stream ciphers based upon 
LFSRs recover the secret key by solving an over-defined system of multivariable 
algebraic equations. One successfully does so by exploiting multivariable 
relations involving keybits and output bits, this process becomes more efficient 
once relations of low degrees can be found. The idea of algebraic attacks is 
based on the capability of an attacker to solve a system of nonlinear multivariable 
equations of low degree. Courtois and Meier introduced algebraic attacks [16] in 
2003. Algebraic attacks have been successful in breaking some keystream 
generators like Toyocrypt and LILI 128 by drastically reducing the computation 
time needed. The key idea is to generate low-degree equations by multiplying the 
initial equations by well-chosen multivariable polynomials. The basic methods 
used to solve the derived system of equations are the Grobner basis algorithm or 
linearization methods like extended linearization (XL) [17]. 


Courtois and Meier introduced three scenarios (S3a, S3b and S3c) under 
which low-degree relations may exist in order to implement algebraic attacks 
[18]. 

» $3a - assume that there is a function g of low degree such that 


fg #0and fg is a low-degree function, where fis a Boolean encryption 


function 


=» $3b - assume that there is a function g of low degree such that fg =0, 
where fis a Boolean encryption function 

=" S3c. assume that there is a function g of high degree and f is of high 
degree, such that fg +0and fgis of a low-degree function, where fis a 


Boolean encryption function 


Meier, Pasalic and Carlet [19] described a method to find all possible annihilators 
of a given Boolean function f and an algorithm which determines whether a 


Boolean function of n variables has low algebraic immunity. 
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Several algorithms have been introduced that assist in reducing the 
complexity of solving systems of multivariable equations, but there is no silver 
bullet, since Garey and Johnson [20] indicate that solving such systems of 
multivariate polynomial equations is a nonpolynomial (NP)-hard problem. The 
classical algorithm for solving such a system of equations is Buchberger’s 
algorithm, which transforms the polynomial equations to a Grdbner basis [21]. A 
Grdobner basis is a set of multivariate polynomials that has the property of 
Gaussian elimination (one may solve one variable at a time). Every set of 
polynomials can be transformed into a Grdbner basis. The solution to a Grobner 
basis is the same as for the original equation. The linearization algorithms, like 
XL, have the following steps: 


« Find an over-defined equation 
» Replace each monomial with a new variable 


= Solve the new system of equations as a linear system 


Example 3.4: 
Assume the following system of equations : 


x, Bx, Bx, =0 
x; ®x,x, ®1=0 
XX, Dx, =0 

x @xx, @x; =0 
x, Ox @x, =0 
x, @x, =0 


By substitution, u, = x;,u, =x,x,,u,; =x,, 


The following system of linear equations is then obtained: 
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x, Bx, Bx, =0 


u, Bu, ®B1=0 
u, ®x, =0 

u, Bu, Bu, =0 
u, Bu; ® x, =0 
u,®x, =0 


which is easy to solve. 


In 2003, Armchnecht and Krause [22] applied algebraic attacks in wireless 


68.48 
2 


systems like Bluetooth E0 in which the key could be recovered in operations 


after the adversary had knowledge of 2” keystream bits. Armchnecht in 2004, 


4! 


by using a precomputation step, reduced the complexity to operations after 


the adversary had knowledge of 2**“* keystream bits [23]. 


E. CONCLUSION 


In this chapter, the author reviewed some of the recent types of attacks on 
wireless systems, namely correlation and algebraic attacks. It seems that 
correlation attacks are faster in the computational process in wireless encryption 
systems, like Bluetooth, which use stream ciphers, yet algebraic attacks require 
less data during the preprocessing phase. In the following chapters, the author 
will investigate a recently introduced type of algebraic attack, the cube attack, 
which will be applied on the EO keystream generator. 
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IV. CUBE ATTACK 


A. INTRODUCTION 


At Crypto Conference 2008, Shamir described a new type of algebraic 
attack, the cube attack. In September 2008, Dinur and Shamir published a paper 
on eprint [4] entitled “Cube Attacks on Tweakable Black Boxes Polynomials” 
describing their approach. The cube attack is a generic attack that may be 
applied to block ciphers, stream ciphers, or even keyed hash functions without 
necessarily having knowledge of the internal structure of the cipher, as long as at 
least one output bit can be represented by a polynomial of low degree of the 
secret and public variables. Their approach is based on the basic algebraic 
cryptanalysis concept, which attempts to lower the degree of the polynomial 
equations that represent a cryptosystem by polynomials of lower degree. The 
polynomial equations used to describe a cryptosystem are variants derived from 
a master polynomial by setting some variables to any possible value (0 or 1) and 
then summing the results. They call this attack the cube attack 


“since it sets some public variables to all their possible values in n, 
(d —1) -dimensional Boolean cubes, and sums the results in each cube, where d 
represents the degree of the polynomial and n is the number of variables." 


[4, p. 5] 


The mathematical concepts we use in this chapter are Boolean functions 
(polynomials of n variables and bit output), factorization of multivariable 
equations to reveal linear co-factors called superpolys, and solving a system of 


linear equations. 


B. BACKGROUND/KEY OBSERVATIONS ON THE CUBE ATTACK 


Actually, the idea of the cube attack is not new. Variations of this attack 
have been proposed in [24], [25], [26]. These approaches are mostly based on 


the use of heuristics that sum the output values of Boolean cubes of publicly- 
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known variables. They are referred to as chosen-lV statistical attacks and are 
mainly applicable against stream ciphers. However, the cube attack has a more 
wide range of targets and may be applied to block ciphers. 


In the cube attack, when the master polynomial is random one may 
eliminate with high probability all of the nonlinear terms by using, for example, a 
chosen plaintext attack, thus reducing the complexity from polynomial time to a 
system of linear equations that is (relatively) easy to solve. Dinur and Shamir 
implemented their cube attack on the Trivium stream cipher and recovered the 
encryption key in 2” bit operations. The previous best-known attempt was made 
by Fischer, Khazaei and Meier in [27], using a chosen-lV statistical analysis. 
They succeeded in key recovery of 2” bit operations. The master polynomial was 
in algebraic normal form (ANF), which means that it must be in sum of products 


of variables. 


The following theorem expresses the concept of the cube attack. 


Theorem 4.1: [from 5] Let f(x) be a polynomial in nvariables of 


degreed . Suppose 0<k<d and t is the monomial x,x,...x,, . Suppose f can 


be written in the following form: 
f (x) =tP(x) 8 Q(x), (4.1) 


where none of the terms in Q(x) is divisible by t. Note that deg(P)<d—k. 


Then, the sum f over all (x),...%)€F,, > f ,considered as a 


(goes 4 )eFS 
polynomial in k | equals 
k 
PM sveg dX s Xe ests Nia) 


t 


and hence is a polynomial of degree at most d—k | 
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Proof: Consider the following equality: f =*P OQ. 
Then, 


(P= PU ata). >.” 40: 


k k 
(2X9 5 Xp) EFS (20 Xe EF 


However, > tP =0 since in order for the summation to be different from 0, 


k 
(X sXe EFE 


all x, ...,x,, =1, hence 


PP Posies a ig Xe psseg 4s 


t t 
k 
(29 9 Xp EF D 


Furthermore, Q,is a sum of monomials that are not divisible by ¢. Let m be any 
one of these monomials. Since m is not divisible by f, then x, is excluded for 
O<i<k-—1.For instance, if x, is excluded, then the sum across all 
(Xp .--X,_,) € F,“can be further split into two sums: the sum for x, =0 and the sum 


for x, =1 .These two sums are equal since x,does not appear in m. 


Therefore, 


yy m=0> DY O=0m 


F k a k 
(X95 Xp EPS (2X9 Xp EFS 


The polynomial f written in the form of Theorem 4.1 is called a master 


polynomial. 
The following example illustrates Theorem 4.1. 
Example 4.2: 


Consider given a master polynomial f of degree d = 3 and of four 
variables, two known variables (x,,x,) and two unknown or secret variables 


(x;,x,). Suppose f has the following algebraic normal form (ANF): 
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f (ps = Ge, O Bx, Ox x, Oa Ors, OO 44,02, Ox, C1, (4:2) 


4 4 4 4 
Third-degree polynomials with four variables may have )-( }e( }-( )=13 


3 2 1 0 
possible terms. From these 15 terms, five terms are going to be linear and the 
remaining ten terms are going to be nonlinear. To eliminate all the nonlinear 
terms using Gaussian elimination, and in order to eliminate all the nonlinear 


terms, at least ten such polynomials of the total 2'° possible terms, over GF (2), 


are needed. If the two known variables x,,x, are set in all their possible values (0 


or 1), then one can construct 27=4 derived polynomials, which may not be 





sufficient. 
x, | x, | Derived Polynomials Formal Sum over all values of 
X,,X 
from f Ci) 
0 | 0 x,®8x, Ol 


0 | 1 XX, Ox, Ox, Ol 
aie — hee -- | De Oe emo oni 


(4x2 )€{0,1}7 


1 | 0 x Dx, 





1|1 x, ®1 




















Table 3. Formal sum of known variables 


The points (0,0),(0,1),(1,0),(1,1) can be viewed as a corner of a square of 
two dimensions (Figure 4.1). 


30 


(1,0) (1,1) 














(0,0) (0,1) 


Figure 1. Square of Two Dimensions 


This concept may scale to more than two variables. For example, if there 
are three variables then the evaluation will be for eight points, and these 
correspond to the corners of a cube in three dimensions, which is why Dinur and 


Shamir called their process the cube attack (Figure 4.2). 


(0,1,0) (0,1,1) 





(1,1,0) 1,1,1) 














(0,0,0) (0,0,1) 











(1,0,0) (1,0,1) 


Figure 2. Cube of Three Dimensions 
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In a similar fashion, once the function f is factored with respect to 


coefficients x,,x, 


F(X), % 5X3, Xy) = XX, (x, Ox, Ol) O (x, x4x, O xxx, Ox, Oxx,Ox, Ox, Ol), (4.3) 


where: t, =x,x, is the maxterm 
P(x) =x; ®x,@1 is the superpoly, a linear-cofactor or linear 
nonconstant polynomial 


QO, (X) = X,%,X, B X,x,x, Bx, O xx, ® x, ® x, @1 is the remainder 


The maxterms of the polynomial f are indexed by J ={1,2}, a subset of size 2, 


where / c{1,2,...,n} is the index set of the variables that are multiplied together. 


Theorem 4.1 is a basic theorem and is the tool used below to cryptanalyze the 
Bluetooth EO keystream generator. 


Definition 4.3 [from 4]:. A maxterm of f is a term t, or cube such that the 
degree of the superpoly deg(P,) =1, where P is a linear nonconstant polynomial. 
Based on Theorem 4.1 and illustrated in Example 4.4, the sum of the 
2" polynomials derived from the initial polynomial f by assigning all possible 


values to the k variables eliminates all terms, except those that are contained in 


the superpoly in f . 
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Observation 4.4: Using the process described in Theorem 4.1, the 
monomial coefficients can be computed once all the values of the corresponding 


variables are summed. 


Example 4.5: 
Let f be the following monomial: 
F(X Xq5 X39 XqyX5) = XXX, DXs OX,X, 
Then all values of x,,x,,x3,X,,x, are summed as follows: 
f (0,0,0,0,0) ® f (0,0, 0,0, 1) ® f(0,0,0,1,0) ® f(0,0,1,0,0) 8...8 f(LIL1,D =0. 


The value of the expression above represents the coefficient of the monomial 


2G, a, . TAUS; 


PR it Mig EY = Gs Pe ey Oe he 


Observation 4.4 may be generalized. Assume that the encryption function is of 


the form: 
Z2=f (%V), (4.4) 


Equation (4.4) actually represents the encryption function of a stream cipher that 
takes as input n-secret bits x and m-known bits v of initialization vector (IV) and 


outputs a keystream bit z. 
Initially, the initialization vector bits v are fixed over F,, and T is the set of all 


possible values of v, so |T|=2”. 


If f(x,v) is summed overv eT , then we can write: 


ava): (4.5) 


veT 
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In accordance with Theorem 4.1, ifL(x)#0 then a maxterm can be found and 


therefore one linear relation of the key bits is obtained. Therefore, in order to 


obtain n-1 relations one needs to use the same f with different maxterms. 


Since there are n such linearly independent relations of the key bits, the secret 


key can be found by using Gaussian elimination or a chosen plaintext attack. 

The cube attack may be completed in two phases: the preprocessing 
phase where the attacker finds as many maxterms as possible, and the actual 
attacking phase where the attacker solves the system of linear equations. 

C. PREPROCESSING AND ONLINE PHASE 

1. Preprocessing Phase 


Assume that the following relation represents an encryption function of a 


cipher represented in accordance to theorem 4.1 
F (Xo %,) SOP, (x) ®Q, (Xp yey Hq) (4.6) 
and let C, represent the summation cube of a set of variables with index / . 


Then, if t, is a maxterm of the encryption function f in (4.6), then the attacker 
may compute the free term of P(x) by summing all the values of f(x) over all 


variables modulo 2 that are zero except those that appear in C,, 


Serle as) 


‘ k 
(2X9 Xp ELS 


Then the attacker can compute the coefficient of x, in the linear expression P(x) 
by summing modulo 2 all values of f(x) for input vectors equal to 0 except at x, 


which is 1, as detailed in the proof of Theorem 4.1. [4] 
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In the preprocessing phase, the attacker is trying to find as many 
maxterms (v,,...,v,) as possible and their corresponding superpolys (x,,...,x,), in 


the following manner: 
f (Xv) = v,V,V3 (x, Bx, ® x,) @... 
f (XV) = VyV5V5 (x, OB X,) @... 
f (Xv) =V,V, (x, B X,) ®... 


f (x, v) =v, (x, ® x.) B... 


When the attacker has no information about the structure of the encryption 
function, then it can be considered as a blackbox polynomial. The attacker can 
reconstruct the superpolys using linearity tests. All he can do is query the 


function f , meaning that he can pass in a value x of and get a value of f(x). 
Because in a linear expression the coefficient of any variable x,is 1 if and only if 
changing the value of x,changes the value of the expression, the free term may 


be computed by setting all variables to 0. 


2. Online Phase 


In this phase, the attacker has to solve a system of linear equations where 


each linear equation is the co-factor PF of the maxterm r,. The attacker simply 
applies a chosen plaintext attack on the cipher. The attacker has to find as many 
linear relations as possible in order to solve the system of linear equations. 

D. EXTENSIONS OF THE CUBE ATTACK 


Zhang et al. in [5] proposed two different variations of the cube attack: the 
cube attack with annihilators and the cube attack on a vectorial Boolean function 


finding relations with low degree polynomials. 
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1. Cube Attack with Annihilators 


In cube attacks with annihilators the focus is on stream ciphers. Their 
method is a combination of the algebraic attack of Courtois and Meier [18], and 
the cube attack [5]. They adapt the main observation of Courtois and Meier about 


polynomials: for some polynomial f one may find a polynomial g of lower degree 


than f , such that h= fg. 


Assume that there is a stream cipher and the output bit is 
z=f(x,v), (4.7) 


where xis the unknown variable and v represents the known variable. Courtois’ 
concept may be applied in the cube attack and one ends up with the following 


relation [from 5]: 


hwy) = >of vgiv), (4.8) 


veC veC 
where deg(g)=k, deg(f)=d and k<d. Then deg(h)=/, wherel<d and/>k. 
In the basic steps of the cube attack with annihilators the attacker, initially uses 


known algorithms to find gand /. Then, in the preprocessing phase, the attacker 


computes the polynomial derived from the summation 


DAV), (4.9) 


veC 


and in the online phase, he calculates through linearization the summation 


> f(x, v)g(x,v) = Do A(x, v), (4.10) 


veC veC 


Zhang et al. implemented the above attack in a Toyocrypt cipher with re- 
synchronization, breaking the cipher in a few milliseconds on an ordinary PC [5]. 


2. Cube Attack on a Vectorial Filter Function with Low Degree 


In the cube attack on a vectorial filter function with low degree Zhang et al. 


in [5] combined the cube attack with annihilators with a low degree on vectorial 
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equations that are obtained from the computation of the rank of the matrices of 


some monomials. 
Assuming we have the following vectorial filter function: 
z=f (xv), (4.11) 


where x are unknown bits of size n,vare known bits of size m and zis a vector 
of multiple output bits. A function of g(x,v,z) is found where deg(x,v)=k such 
that h(x,v) = g(x,v, f(x,v)) is of degree /, with k </<deg(f). 

The attack phases are as follows [from 5]: 

Firstly, g,4 must be found. Therefore we choose >(7] maxterms, where e is 


K=0 
the vector where the k-th component is 1 and the rest are 0. For each maxterm 
the summation DAC, v) is computed by finding the coefficient of every x- 
C 


monomial. 


Finally, in the online phase for each maxterm Y g(%v,Z) is computed as a 
Cc 


polynomial of x, since zis known. 


The cube attack with annihilators may be applied on single-bit output 
ciphers whereas the cube attack with a filter function may be applied on multi- 


output stream ciphers. 
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V. BLUETOOTH KEY STREAM GENERATOR E0 


A. INTRODUCTION 


The Bluetooth encryption concept is described in Volume 2, Part C, 
Chapter 4.2 of the Bluetooth specification document [28]. Bluetooth is the name 
of a wireless communication protocol used for exchanging data from mobile and 
fixed devices (laptops, PCs, mobile phones, etc.) at low energy and short range, 
thus creating personal area networks (PANs). Bluetooth communication ranges 
(transmitter/receiver) from 1 to 10 meters (approximately 33 feet), and high- 
energy Bluetooth devices enable ranges up to 100 meters (approximately 328 
feet). Bluetooth provides authentication mechanisms and data encryption, 
ensuring confidentiality of the data using point-to-point or broadcast encryption. 
[28, p. 935] Bluetooth uses the stream cipher algorithm EO for encryption, which 
is a combinatory generator with memory. For the rest of the thesis, the author will 
concentrate on analyzing the key generation process investigating the 
cryptographic strength of EO under a cube attack. 


B. BLUETOOTH’S ENCRYPTION APPROACH 


Every time two Bluetooth devices want to communicate securely with each 
other, key exchange protocols are in use. Once both users agree on a shared 
secret, called /ink key, and authenticate themselves, this link key is used later to 
generate the encryption key (K,). Although Bluetooth uses algorithms E21 and 
E22, which are based on the block cipher Secure and Fast Encryption Routine 
(SAFER+), to authenticate its users and for key derivation, Bluetooth does not 
use these algorithms to encrypt information [28, p. 952]. The actual data of the 
packet are enciphered separately. The encryption algorithm EO uses the 
originator’s Bluetooth device address, usually called the master device 


(BD_ADDR), twenty-six bits of the originator’s clock time and the encryption 


key K.. 
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K. is the secret key that is produced by the current link key. A 96-bit 


encryption offset number called COF, known from the authentication 
procedure, and a 128-bit random number (EN_RAND) which is a public variable 


that is transmitted as plaintext, are needed in order to produce this encryption 
key K., as depicted in Figure 3. This process executes in the encryption 


algorithm E3. 























Figure 3. | Encryption Algorithm E3 (After [28, p. 953]) 
Inside EO, the secret key K.is modified into another key, namely K.. 


The K. key is used along with the public variables, the originating device's 


media access control (MAC) address, and the clock value. The clock value 


changes on each packet (and acts as an “IV”), as is shown in Figure 4. 
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Figure 4. Functional Description of the Encryption Procedure (After [28 p. 937]) 


The encryption algorithm EO generates a binary keystream, called K cipher » 


which is bitwise XORed with the plaintext. The cipher is symmetric and the 
decryption will be performed in a similar way, as the receiver generates the same 


keystream that is then bitwise XORed with the ciphertext to produce the plaintext. 


C. STREAM CIPHER E0 


Stream cipher EO is a keystream combination generator with memory. It 
uses four LFSRs of total length 128 bits and a nonlinear combiner function with 
memory. A finite state machine, called a summation combiner, with sixteen 
states, combines the output of the LFSRs. The output of this state machine 
represents the key sequence, or during the initialization phase is the randomized 


initial start value. The algorithm uses the encryption key K.., a 48-bit address, 


the master clock bits CLK, ,, and a 128-bit random number [28, p. 937-938]. 


The setup of an EO keystream generator is depicted in Figure 5. 
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Figure 5. Encryption Procedure (After [39]) 


The four linear feedback shift registers EO (LFSR1, LFSR2, LFSR and 
LFSR4) of EO have the following lengths: 


L, =25,L, =31,L, =33,L, =39. 


Their corresponding polynomials, which are all primitive, are shown in Table 5. 
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Primitive Feedback Polynomials of EO 




















i L Primitive Feedback Polynomials f,(x) Hamming Weight 
LFSR1| 25 > Ox Ox’? Ox Ol 9 
LFSR2| 31 x Ox" Ox" @x’ Ol 9 
LFSR3| 33 Ox @Ox4@Ox' Ol 9 
LFSR4| 39 x? Ox Ox @x' Ol 9 














Table 4. — Primitive Feedback Polynomials of EO (From [28, p. 938]) 


The Hamming weight of each primitive polynomial is five; therefore, the 
generated sequences have good statistical properties. On the other hand, they 


are easy to implement in hardware. 


The encryption process of EO is described below. The LFSRs and the 
memory bits are initialized with the key, an address, a random number, and 
clocking bits. The clocking bits ensure that the system will not run numerous 


times with the same initialization and therefore disclose bits of the key. Let x' 
denote the output bit of LFSR' at clock-time t. Then we generate the value y 


from the 4th tuple x!,x°,x°,x* by: 
y= Doe (5.1) 


The summation is over the integers, which means that y, belongs to {0,1,2,3,4}. 


The output of the summation generator can be obtained as follows. 2 


The function f, is formed using the XOR operation and one can generate z, of 


the keystream: 


2 The glossary of EO keystream generator can be found in Appendix D. 
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i, =f. Sx, Ox Ox Ox" Oc, z. e {0,1} (5.2) 


The nonlinearity of EO comes from the function f,, whose output is a two-bit 


sequence s,. 


Sia F Gis a) = ise = i - € {0, 1, Zs 3} (5.3) 


The "+"symbol in Equation (5.3) is the usual integer sum. The memory update 


function is a composition of f,and T and is linear with the following form: 


C41 ze Ce > Ci) a T(S,.1 > C, C24) =, Sit ® TIc,] ® Tc] (5.4) 


3 


where 7 [.] and 7,[.] are two different linear bijections over GF(4), summarized in 


Table 6 [28, p. 939]. 





EO Linear Bijections Mapping to Binary Vectors 




















XX | TL] T(x] 

00 00 00 T, = (%5%) > (%,%) 
01 01 11 T, 3 (%,%) > (%p.X, B%) 
10 10 01 

11 11 10 














Table 5. Mappings of 7, and 7, 


The E0 algorithm must be initialized with a value from the four LFSRs (128 
bits in total) and the four bits that specify the values of c,,c_,. The 132-bit initial 


value is derived from four inputs using the key stream generator. The input 


parameters are K,, a 128-bit random number RAND, a 48-bit Bluetooth device 
address, and the twenty-six originator’s device clock bits CLK,, ,[28, p. 940]. 
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D. MODELING ENCRYPTION FUNCTION OF E0 


During the author’s investigation of the encryption function of the EO 
algorithm, he adopted Armknecht and Krause’s approach in order to find a 
function that is not dependent on memory bits and holds for every clock tick. [22] 


Let z,be the keystream bit produced by EO at clock ¢, z,,, be the 


t+1 
keystream bit produced by EO at clock r+1, etc. These bits are randomly 
generated. At every clock value, the output of E0 is the bit z,, which is dependent 


on the output bits of four LFSRs x, =(2!,x7,x°,x° 


t 


ye {0,1} and the four memory 
bits c,¢ {o,1}". 
In more detail, the components of c, =(c!,c’) are as follows: 
C=8 Oc, 8c’; : (5.5) 
C= 5 Oe (O65 ec 5 (5.6) 


The goal of the cryptanalysis is to come up with an equation that describes the 
encryption of the EO keystream generator consisting only of the bits of the LFSRs 


and key stream bits z,, while eliminating the memory bits c,. The reason is that 


the author does not want to use a polynomial of degree n where the system of 


equations would be unsolvable [23, p. 5]. 
The encryption function G for EO becomes 


G(L(K),z,, Lee L402? ea) = 0 ; where L(K) = (Hi Aja, Mie) (5.7) 
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More specifically, 


% ® Zed ® S142 ® 2143 ® 1BbeR ec ® rama ® L142 ® Zu) ® peed ® 


1 
10 be (z, ® X42 ® 2143 ® Zk ® Sr h142 ® Loci Spe) ® 


T, ® 186i Hae (l ® Za) ® TH ® abies dae ® | ee A bey 2 © a ® 1) ® 


t+ 


I Bbae W Gey can ® 3 ® Be 8 bee (l ® Za) ® Dhan hie ® 
Boas ® Ts (1 ® Zea) ® Esl 3 ® 
IDE cen ®IT;,, ®IT),, = 0 7 (5.8) 


where IT’ denotes the i-th elementary symmetric polynomial in x’. 


bcs 
Il, =x, 08x, Bx, Ox, 
ee 
ES De OX OX OD X50, OX, 


a 
TD, = 2%,%4 BX XX, OB X,A_X, O XXX, 


_ 

II; = x,x,%,%, (5.9) 
1 

Il ,,, =x; Bx, Ox, © x, 
2 

IT), = %5%—q DB X5x, B XX OxX.X, DXX, DX Xz 


AS, lu 

IT), = Xs %gX_ DB XX —X_ DP X;X,Ay D AX Xe 
4 —_ 

IT) = Xs%6X7Xe (5.10) 
ee 

IT... _ Xo ® X19 ® Xi ® X19 


2 — 
TT yo = XyX1q D XyXyp D Ay Xp D XX O XiqX%q O XX 


3 Stat 
TT) 45 = Xo X19 Xp O XyXyqXiq O XyX Xp O Xyq XN 


a 
IT), = Xo Xi o% 1X2 (5.1 1) 
oes 
IT, = %3 OX, O Xs OX, 
20 
TDs = 3% 4 DX 3%s Oy 3X%o O XyXs O A yX%o O sXe 
aC 
TDs = 3% aXis © Xs yXip OM 3%5%6 O MX sXe 
4 _ 
TT 3 = %13%4aX5%16 (5.12) 
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and the output bit streams for clock times ¢, f+1, +2, t+3 are as follows: 


Z,=a 
Sed =b 


S142 =Cc 


Zug = (5.13) 


Theorem 5.1: The encryption function of EO depends only on the output 
bits of the four LFSRs and the output keystream bit and holds for every clock tick. 


Four consecutive clock ticks are needed. 


Proof [from [22]]: 


The key stream generator EO consists of four LFSRs and four memory 


bits. For every clock time t an output z, is produced based on the outputs 
x, =(x!,x°,x°,x*) of the four LFSRs and the four memory bits c, =(q,,P,.4,-1> P,1)- 
The next memory bits at clock time ¢+1 are c,,, =(4,.;.P,159,.P,)- The memory 
bits g,, p, appear in both clock times of and ++1. The variable II’ denotes the i- 
th elementary symmetric polynomial over x, =(x!,x7,x°,x*), which is the sum of 


all monomials of length s<4. 





Thus, 
z, =I, @p,, (5.14) 
Crt = (Grave Pra Ge Pr) (5.15) 
However, at the same time 
Coat = Si41 OG, ® Ppp Shs Os ® Pro's PY (5.16) 
oe =(hypsh p=] AE ae (5.17) 
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The contents of the LFSRs and the value of c' are set at the beginning. All the 


other values may be calculated from these. 


From Equations (5.15) and (5.16), the following is obtained: 
Cra = (Gist> Piste P,) = (St. ®4q, ® Dibsd a Og, ® Pads p’) (5.18) 


Assume f,and f,are two Boolean functions derived from Equations (5.3) and 
(5.4) such that: 


4 


Si = f(K,%, x .x,g', p'), Where ie {0,1} (5.19) 


Armknecht [22, p. 173-174] proved that the algebraic normal forms of f,and f, 


have the expressions: 


fy =U; OIl'p' @q', (5.20) 





f =U OM? p' Oll’q' OM p'd'. (5.21) 
Based on Equation (5.18) we obtain 


Prt y Sei ® P; O44 ® Pin = Ie Il p, © 4, Og. ® P; ® Pi a (5.22) 





Gist = Sa @ 4, ® Pi = 1a OI? p, ®IT'q, OIL p.q, © q, ® Pr 7 (5.23) 


The values of p,, and q,,, depend on x,4¢,.9,,,P,,P,, Aandx,.9,,P,.P,.45 


respectively. 
Equations (5.22) and (5.23) are simplified by using the following equations: 
M(t) =I? OT? p, @ p,,, (5.24) 
W(t) =I? Ip, G1. (5.25) 
Therefore, Equations (5.22) and (5.23) become 


Pir = FOOL p,, © p, OG. (5.26) 
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Dist aa M(t) ® Y(t), , (5.27) 
From Equation (5.27), the following is obtained: 


PO = POO OP(Oq,) or 


Y(t)(O(t) ® g, q,,,)=9, since P(t) P(t) = P(r). (5.28) 


Equation (5.26) is then transformed into the following: 
q, Og, =¥() O19 p,, Bp, ® p,,,- (5.29) 
Replacing t by t+1 in Equation 5.28 and applying Equation 5.29, we have: 
Y(t)(O(t) ® V(t +1) O19 p, @ p,,, ® p,,,) =0. (5.30) 


Applying Equation (5.14) we are now able to derive Equation (5.8) which holds 


for every clock rand does not have any memory bits in the equation. 


ae Oz @ 


sat B Zyy BZ jy3 BU (Z, © 241 B Zao ® Z43) OM 

Ie, OZ gO GeO 2at Olt Pease) © 
Hon tO. OMll. Ol 27.4 Ol, Maes gobo 
Tosa Ti Zo ® 1 Fa ® 1h baat )1 9 z,,:) 8 ln hee Boer ® 


®I1!_,IT},,d®@ z,,)@), 117, ® 


Ls t+3 t+3> t+ 


t+3 t+ t+ 


O12, oll’, =0, 


IN eae oem t+ 


and in a more generic form: 
G(x, 9 Xy 90X69 Spo Sra S429 Lies) =0 
a 


Equation (5.8), of degree 4 with twenty variables, can be fully described by the 


following expression: 
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O0=a®b®cOd® 

(X5% DxsX, D xsX%y OAK, OX NX OXX, (a BHOc Od) OxXx,X, O 

(x, Bx, Bx, Bx, (aPBc Bd Bab Obc Ghd) Ox, Ox, Ox, Ox, O 

(x, Bx, Ox, Ox, (x, Ox, Ox, Ox, (LOD) ® 

(x, Bx, Bx, BX, (AX, BAX, Dx X%y DXX, OXxXy BxXX,) OB 

(x Bx, Bx, Ox, )DO(% Oxy) Ox, Ox, x, Ox, Ox, Ox, )c(b Bl) O 
(% BX BX, OX MAXe BAX, DA Xy Ox, OX, OX X, oD (5.31) 
(% Xo OX, Ox, Oxo, OX o%p Ox, 1%) ® 

(%%o Ox x, OxxX> Oxo, OX oXp DX Xp MX Ox, Ox, ®x,)(1@b) ® 

(Xp BAX, OAH yy OX 9%, OX o%z OX Mp MAX OAS, OSX, OA; OX GX, OA, Ay) O 

XOX, Bx; Ox, B(%; Ox, Ox; OX, Mx, Ox, Ox, Ox, (bO) O 

(Gj, Bxy Ds Ox) Ger, Dax, Oxy Orr, Ox Oxx,) 0 

XsXgXqD OD XX Xb D XX _ Xd D XXX BX NX, BAX, BAX, OX,X, BXX, Oxx, O 

X; DX, Ox, Ox. 


The full expansion of the encryption function of can be found in Appendix A. 
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Vi. AUTOMATED TOOL FOR MODELING CUBE ATTACK 


No matter how correct a mathematical theorem may appear to be, 
one ought never to be satisfied that there was not something 
imperfect about it until it also gives the impression of being 
beautiful. 


George Boole (1815-1864) 
A. OVERVIEW 


In this chapter, the author implemented Dinur and Shamir’s cube attack on 
a Bluetooth EO keystream generator. In order to do that, he modeled the E0 
encryption function of Bluetooth in Chapter V. He then created an automated tool 
in the Maple 12 environment (http://www.maplesoft.com) that finds all of the 
maxterms and their corresponding superpolys (linear coefficients) of the 
encryption function. Then, in the online phase, he used a chosen plaintext attack 
in order to solve the system of linear equations he found. Eventually, he 


evaluated the results and investigated the complexity of the process. 


B. APPROACH—BASIC ASSUMPTIONS 


The most time-consuming work in the computation process, namely 
finding the maxterms and their corresponding superpolys, was executed in the 
Maple 12 environment. Maple is a high-level programming language with 
powerful built-in symbolic algebra, numerical and graphical capabilities. The 
reasons why the author chose Maple 12 instead of any other programming 
language like C, C++, Java, or symbolic Python were mainly that he wanted to 
benefit from the advantages of a high-performance mathematical engine with 
fully integrated numerals and symbols, especially in algebra. With this in mind, 
under the guidance of an expert programmer in the Maple environment, Dr. 
David Canright, Associate Professor of the Department of Applied Mathematics 
of the Naval Postgraduate School’ the author created effective code in a compact 
and optimal way. 
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1. Modeling Environment 


Maple uses a C-like programming language. It has many of the features 
that other high-level programming languages have, like loops, conditionals, and 
functions. Maple does not support classes of objects; however, this feature is 
overcome by a rich set of packages available for Maple. Maple can generate 
code in other high-level programming languages like C, Java, Fortran, Visual 
Basic and Matlab using the CodeGeneration package. The OpenWatcom C 
compiler is used for the Maple compiler. This allows the user to compile some 


types of user-written Maple routines to increase code performance. 


Maple 12 works on Windows (2000, 2003, XP, Vista), Macintosh, UNIX, 
Linux and Solaris environments. Developers’ system recommendations include 
the following [29]: 


» CPU: AMD X86_64/ 1 GHz/Intel Xeon/ Intel 64 
= RAM: 512MB (at least) 
« Hard disk: 1 GB 


The computational interfaces Maple 12 has available for its users include 
the standard worksheet, which is the environment that the author worked in. The 
standard worksheet is a full-feature graphical user interface that enables users to 
create documents, and it displays all the calculations and possible errors in the 
results. The standard interface is written primarily in Java to speed up the 
computational process and provide portability. The standard worksheet has two 
modes: the document mode and the worksheet mode. The main difference 
between these two modes is that in the first interface the user hides all 
commands used to perform calculations whereas in the latter interface the user 
shows all commands. Maple 12 also has other user interfaces such as the 
classic worksheet, which is a basic worksheet environment for computers with 
limited memory; and the command line interface, in which a user may solve large 
and complex problems without thorough graphical user interface features 
available. 
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The Maplesoft graphing calculator provides another Maple 12 interface 
and is available for computers using the Microsoft Windows Operating System 
only. This graphical user interface contains windows, textbox regions and other 
visual interfaces that give the user a point-and-click interface to access the 
computation processor of Maple without using the worksheet. Finally, Maple 
provides the Mapletapplication. |t has a graphical calculator interface that the 
user can use to perform simple computations and create customizable graphs in 


a windows environment only [30]. 


2. Basic Assumptions 


In part, the cube attack is a chosen plaintext attack: the part that can be 
manipulated by the attacker. To implement the cube attack, we assume the 
attacker has the capability to properly send structured packets that the Bluetooth 
receiver will respond to, thus providing the attacker with access to the encryption 
machine. This machine behaves like an oracle. If the attacker convinces the 
oracle it is a legitimate participant, it will be duped into sending data to the 
attacker or another participant; however, the attacker can observe “over the air” 


whatever responses the oracle or the user sends back. 


For example, the attacker can masquerade as a real user, with sufficient 
detail to send data to the oracle. The oracle will return encrypted data to the 
attacker or an authorized user/participant in the communication process, and the 
attacker will collect this data. The attacker thus gains some knowledge of the 


output bitstreams for the combiner at clock ticks ¢, 4-1, 42, and t+3. 
The following theorem derived from our investigation: 


Theorem 6.1:The maxterms of EO encryption function can only be of 2” 


or 3 degree. 
Proof: 


Assume that a maxterm could be of degree 4. By Definition 4.3 of the term 


called maxterm, in order for a maxterm to exist there must be terms in the EO 
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encryption function of the 5"" degree. Since the encryption function being used in 
this study (Appendix A) is of degree 4, it cannot have a maxterm of degree 4. 


Assume that a maxterm could be of degree 1. Then, by the definition of 
maxterm, since the cofactor must be linear and not constant, one must check all 
the 2" degree terms of the encryption function EO in Equation (5.31). Thus, one 
may observe there, that the only terms of the 2™ degree derive from the following 
products: 


1B ee Z, ® Laan ® S42 ® 2) , TT. (1 ® Zia) , 1 Se 8 bap are Fen ® 1) , I; I, ey (l ® Zia) 


t+2? t+3 


and II? 


t+1° 


Each term of the 2"° degree is examined as follows: 


2 
IT, (2, ® Zt41 ® S142 ® fig) a 


XX, D x,X,b B X.X,C DO xX,d DO xX D xX, OB xxX,C DO x,x,d O 


6.1 
XgXq7A D XxX7DD xX.x7C DXxd DXXAD XX O X.XyC DO XxX, O on) 
X7X,A D x, xX,b B X,X,C D x, Xd, 
11, (1 ® Zi) = 
XX; Dx, DP x, DHX, D Xx, D Xx, O x, x, O Xx, D 
Kets D xO xx, D xn Px x. Ox xO xa OD x4. @ (6.2) 


X,X5;D ® x,x.b D x,x,b D x,X,b O x,x3b D x, xb D x,x,b B x,x,b O 

X3X3b D x,X.b B x,x,b D x,X,b © x, x~b D X,X~b D X,x,b B X,x,b, 

10 bers bere cPe lean ®1)= 

HyXsCDD xX, COD x,x,cb Ox, x,cb D x,,%,.cb D 

XipX_cb D xX, 9X,cb D x,)x,cb ® x, ,x,cb D x,,x,ch O 

X,,x,cb ® x,,xX,cb ® x,,x,cb ® x,,x,cb ® x,,x,cb ® (6.3) 
X1pXgCb D XyX5C DO XyX.C D XyX,C D xXyxX,c OB X,)xX,c O 

Xp XC DB X,yX7C D Xj yXec D x, XC D X,,X—c B x, ,x,c O 


Xi gXg€ D Xp XoCD Xp x0 D XX 6 D Ky XsC, 


ae 
i bee ~ XoX19 ® XoX1y ® XoX12 ® XiyX1 ® Xig%12 ® X11%X2> (6.4) 
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1 1 = 
IT,,,1,,,0 ® Best) = 

Nil Ddexe DAs DP Hex. DX ee 
MigXe DN DP Mg ky DP Mieke PH ee 


Mie XD en D He De Ws 


6.5 
XigX_ OB X,3X50 B x,,X.b D x,,x,b D x,,xX,b O m2 
X14X5D B xX, 4X.b D x,,X,b D X,4xX,b D x,.x3b O 
Ligh. DX, XD D Xi .X,DO Lex DP XX. D 
XigXsD DX .x,d, 
TT? = x5%, xx, @ xX, O xx, O xix, Ox. (6.6) 


Notice that a,b,c, and d are assumed known bits (0 ,1) because we assume that 
the attacker can intercept them; therefore, their appearance as terms in the 
equation does not increase the degree of the equation since they behave as 
constants. 


In the next steps, the author investigates the unknown variables x,,...,x,, that 
appear in Equations (6.1) through (6.6). 

We note that if there is factoring by x, (though of as a maxterm) in 
Equations (6.1) and (6.2) where x, appears, then one gets 
x,(x, Ox, Ox, ® x, Ox.bOx.b® x,bOx,b). However, looking in the Equation 


(5.31), x, appears also in the product: 


TID? =(x, Ox, Ox, Ox, (xx, Oxx, Oxx Oxx Oxx Ox-x,). 
t 1 2 3 4 576 nee) 578 607 678 78 


t+ 


That means that the superpoly is not going to be linear but of 2 degree and 


based on Definition 4.3, x, fails to be a maxterm. 


2 
t+1 


Similarly, the appearance of the product, ['TI?,, in Equation (5.31), makes 


the variables x,,x,,%,,%;,%,,*,,%, fail to be maxterms for the same reason. 


3 Note that variables x,, x;,X,,X, fail at being maxterms because i = X5X,X,X, appears 
in Equation (5.31). 
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If one factors x, from Equations (6.3) and (6.4), one gets the following 
product: x,(x,cb ® x,cb ® x,cb ® x,cb ® x,, ® x,, B x,,), where x, fulfills Definition 


4.3. However, looking at Equation (5.31) x, also appears in the product: 


eae Bae = 

(XX jp D XyXj_ DO XyXjqp D Xiq Xp DO AyoXyy D Hy pX yp MASXp D XzX_ O Ag Xy O AGA, DO AGXy OX, Xy) = 
XoXyXsXp D XyXiyXsX7 D Xo XjyAsXz O Ay XiqXoX7 D Xo XjyXpXy D XyXjyX7Xy O 

MeN NN DP Ne Nay Mahe DP Ny MN Ne DP Med Mek Oh Dae Ae 

NX jNeke DO NoMa Neder SP No Xs Ne Ne SD Ne ly XK RO iM Nee SE Xe Ng Ke Neer 

XioXpA%sXo D Ay XyXsXq7 D Hy Xp AsX%y D Aig Xp%pX7 D Xp Xp%pXq O AyqXy1X7Xy O 

XioXpX5Xi D Xp XipXsXq D Ayo Xp XsX%y O Ayo XipXoXq7 O Ay XyQA%oXq O AyoXy2X7Ay O 


XX 2%5%X¢ ® XX gX5Xq ® Xi Xj 2X5 Xe ® XXX 6X7 ® XX] 2X 6Xg ® X Xp 2X7 Xe. 


That means that the superpoly is not going to be linear, but of 2°’ degree, and 


again by the Definition 4.3, x, fails at being a maxterm. The appearance of the 


2 2 
polly 


same product IT in Equation (5.31), makes variables x,,,x,,,x,, fail at being 


maxterms for the same reasons x, did.4 


The results detailed in Table 7 of section C of this chapter illustrate that 
the maxterms of 2™ and 3 degree do exist. 


C. RESULTS 
1. Preprocessing Phase 


In Table 7, the author has displayed all the maxterms and _ their 
corresponding linear coefficients or superpolys of the encryption function found 
by running the program in the Maple environment. 


. : . 2 1 1 2 
4 Note that variables XgsX19>X,1>%4, fail at being maxterms because IT’, ,I1,,,,11,,,I1/,,, 


appear in Equation (5.31). 
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Superpolys 
(with Linear 
Coefficients) 


Cube Indexes of 
Maxterms of the 2"? 
Degree 


Cube Indexes of Maxterms of 
the 3 Degree 














{8,13}, {8,14}, {8,15}, 
{8,16} 


x, @x,®x,@b@1 | {1,5}, {2,5}, {3,5}, {4,5} {5,9,10}, {5,9,11}, {5,9,12}, 

{5,13}, {5,14}, {5,15}, {5,10,11}, {5,10,12}, 
{5,11,12} 

x, @x,@x,@bO1 | {1,6}, {2,6}, {3,6}, {4,6}, {6,9,10}, {6,9,11}, (6,9, 12}, 

{6,13}, {6,14}, {6,15}, {6,10,11}, {6,10,12}, {6,11,12} 
{6,16} 

x,@x,@x,@b@1 | {1,7}, {2,7}, 3,7}, {4,7}, {7,9,10}, {7,9,11}, {7,9,12}, 
{7,13}.{7,14}.{7,15}, A010. 412 ir 1) 

x, ©x,©x, ObG1 | {1,8}, (2,8), (3,8), (4,8), {8,9,10}, {8,9,11}, (8,9, 12}, 


{8,10,11}, {8,10,12}, {8,11,12} 





Xy Dx, Bx, Be 


Xy DX) Bx, Oe 


{5,6,12}, {5,7,12}, (5,8,12}, 


{6,7,12}, {6,8,12}, {7,8,12} 


{5,6,11}, {5,7,11}, {5,8,11}, 
{6,7,11}, {6,8,11}, {7,8,11} 





XD x,, BX, Oe 


{5,6,10}, {5,7,10}, {5,8,10}, 


{6,7,10}, {6,8,10}, {7,8,10} 


























x, @x,@x,@c - {5,6,9}, {5,7,9}, {5,8,9}, {6,7,9}, 
{6,8,9}, {7,8,9} 
x, Bb - {6,7,8} 
X, Ob - {5,7,8} 
xX, @®b 7 {5,6,8} 
X¢ Ob iy {5,6,7} 
Table 6. |Maxterms and Superpolys of the EO Keystream Generator 


The author ended up with twelve superpolys/linear coefficients, depending 


on the following unknown variables: x,,.x,,%7,Xg.%9»%X9>X11> Xo - 


Observation 


6.2: The author 


was’ forced to use- variables 


X55%65X75X—gsXysXig»X14.%} AS unknowns since they are the only variables that 


appear as variables in the superpolys. By implementing a chosen plaintext 


attack, the attacker can determine their values. 
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This is a useful observation, and in addition, the terms that appear in the 2" and 
3 columns of the table do not have to be assumed known, but rather only need 
to be manipulatable. 


The program was executed several times, for testing purposes, on an Intel 
Pentium 4 processor with a CPU of 2.80 GHz and 1GB of RAM, and the results 
were produced in a mean time of 8.03 seconds, consuming 5.25 MB of memory. 


2. Online Phase 


Using the encryption function formed by the multivariable polynomial 
(Appendix A) after the processing phase, the attacker obtained all the possible 
linear co-factors (superpolys). From the specific encryption function of the 
multivariable polynomial (obtained after the attacker masquerades as an 
authorized user and gains access to the security protocol) the attacker will 


eventually succeed in gathering twelve unique and independent equations: 


x, OBb=a,, (6.1) 
x,Bb=a,, (6.2) 

x, Bb=a,, (6.3) 

X% Db=a,, (6.4) 

X, Ox, Ox, ObOl=a,, (6.5) 
teD x Ox, OO O1=a,; (6.6) 
xX, Dx, Ox, BHOl=a,, (6.7) 
x Ox, Pa DbO1=a,; (6.8) 
X%y BX Px, PDe=a,, (6.9) 
Xf D2; Ou OC= es (6.10) 
RDG Ps C= Aas (6.11) 
Xin BX, BX, De=a,,, (6.12) 
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where a, € {0,1} and ie {l,...,12} are considered known bits. 


The above system of equations is an over-defined system of equations on 


variables x,,x,,x,,x,. The solution we obtained is: 


i= a Ob, (6.13) 

X, =a, Ob, (6.14) 

a =a; OD; (6.15) 
X,=a,@b, (6.16) 

XN =a, Da, Oa,,, (6.17) 
Xo = ay Oia, Daj; (6.18) 
4, =a,Pa,, Pa, Oc, (6.17) 
Xyy =A, Ba, Ba, Oc, (6.18) 


Remark. /t is worth mentioning that even if not all these assumptions are 
made, it is still possible to use this approach to find useful information about the 
output bits of the LFSRs. 


D. ANALYSIS OF THE RESULTS 
Below is our main contribution in this thesis. 


Theorem 6.3: /f an attacker has unauthorized access to the encryption 
protocol and can use the encryption machine as an oracle so that he can 
manipulate some of the bits of the LFSRs, and by knowing the output bits of the 
EO keystream generator he succeeds in recovering the outputs of the LFSRs at 
any Clock tick. 


Proof: 


In section C of this chapter we proved that assuming that an attacker has 
access to the variables of the four LFSRs at clock time t, t+7, t+2 and t+3 and the 
output bit streams of EO he can compute the output of the four LFSRs at clocks 
ticks t+1 and ¢+2. 
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By continuing this process in reverse order, it is easy to observe that one can 
compute the output of the four LFSRs at clock ticks t and t+7, by only having 
access and tweaking the variables and the output of EO at clock tick f-7. 


Taking a step back in time at another one clock, an attacker may explicitly find 
that for the output of the LFSRs at clocks f¢, f-1 he only has to have further access 
and tweak the variables and the output bits of EO at clock f-2, and so on. 


The theorem is proved. 7 


Further knowledge about the insight of EO is needed to correlate the 
output of the LFSRs and the encryption key placed in EO. A difficulty one may 
have in completely revealing the encryption key is that in accordance with Lu and 
Vaudenay in [1], the EO keystream generator produces limited segments of 
keystream and after 2745 bits, the generator is reinitialized. However, this is not 
explicitly stated in the Bluetooth core specifications document. 


E: COMPLEXITY 


The complexity in this section is measured in operations steps. 


1. Preprocessing Phase 


Let d be the degree of the encryption function f and n be the number of 
variables of f. During the preprocessing phase, an attacker is trying to find as 
many maxterms as possible. From this phase, an attacker may obtain n+7 output 
bits from the LFSRs and some constant terms. The amount of work needed, 
based on Zhang et al. in [5], is 

n(n+1)2"* 
The attacker also needs to compute the inverse of the matrix of linear relations 
matrix. This requires approximately n’ operations and as a result, an upper bound 
from this phase is: 


n(nt+l)24' +n? 
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2. Online Phase 


For the online phase, where one needs to solve the system of linear 
equations implementing a chosen plaintext attack, n2‘' evaluations of the EO 
encryption function are needed, and the matrix multiplication which takes 
n° operations needs to be performed. Again, by drawing on the analysis by 
Zhang et al. [5], the complexity is of the following form: 


n2 +n? 


Therefore, the overall complexity from both phases is: 


n(nt+1)2°1 +n? 4+n24' +n? = 


Wot) 4+ 2n24* +n +n? (6.19) 


which is equivalent to O(n?2“" +n’°). 


In the case of Bluetooth, with n=n,+n,+n,+n,=128 (where n, is the length of 
the first LFSR, n,is the length of the second LFSR, and so on) and d=4, we 
determine that the attack on EO requires 2246656 ~ 2”'' bit operations. 

The number of operations needed for the computational process is considerable 
less than of similar algebraic attack (2™°'bit operations needed [3]) and 
correlation attack (2°*’ bit operations needed [2]) types, which we described in 


Chapter III. However, our cube-type attack is limited to the LFSRs’ output at any 


clock tick. 
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Vil. CONCLUSION 


We can only see a short distance ahead, but we can see plenty 
there that needs to be done. 


Alan Turing (1912-1954) 
A. CONTRIBUTION 
The main contribution of this thesis is as follows: 


lf an attacker has unauthorized access to the encryption protocol, the 
attacker can use the encryption machine as an oracle so that he can manipulate 
some of the bits of the LFSRs, and knows the output bits of the EO keystream 
generator, he can find the outputs of the individual LFSRs at any clock tick. 


In this study, we investigated the current types of attacks, like correlation 
and algebraic attacks, used in wireless systems. He focused on a new 
(introduced in 2008) and promising type of algebraic attack, namely the cube 
attack. We implemented the cube attack in a wireless system, namely Bluetooth. 
We modeled the encryption function of EO and automated the process of the 
cube attack on EO. This included the factorization process (preprocessing phase) 
where an attacker finds as many maxterms as possible. In the actual attacking 
phase, the attacker solves the system of linear equations through a chosen 
plaintext attack and computes useful information about the cryptosystem. The 
number of operations needed for the computational process is of order 27'' bit 
operations and is considerably less than that of similar algebraic types of attacks, 
but is limited in finding the output of the LFSRs at any clock cycle. 


A useful observation is the following. We have all these different types of 
attackers. Regardless of whether the attacker is a blackhat or greyhat or a 
whitehat hacker, a sufficient level of sophistication is required for the attacker to 
succeed on the implementation of the cube-type attack. A mixture of man-in-the- 


middle attack and a chosen plaintext attack, knowledge of the encryption function 
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of the target machine, and knowledge of the encryption protocol that is in use, 
comes to take place, thus increasing the difficulty of the attack. 


B. FUTURE DIRECTIONS 


Further studies may improve many aspects of this thesis. The most 
important question that needs to be answered is to determine how an attacker 
can recover the encryption key of EO after learning the output bits of every LFSR 
that this study provides. Further investigation of the structure of EO given in [28] 
is required to correlate the internal, initial state of the LFSRs, like the pure key, 
corresponding address, random number and the clocking bits that feed into the 
LFSRs during their initialization phase, and the output bits per clock tick. 


Building on these results, the next stage of research is to validate our 
integration of the cube-type attack into the Bluetooth encryption protocol. As 
demonstrated in this research as well as other research, one needs to be able to 
understand and formally evaluate the strengths of a given cryptosystem and be 
able to evaluate the implementation of the cryptosystem to ensure that there are 
no flaws in the application of the cryptosystem. The cryptosystem and the 
protocol it uses may be good, but if poorly implemented they will most likely be 


untrustworthy. 


Given the ubiquity of Wi-Fi and emerging adoption of Wi-Max, it is evident 
that more work needs to be done to understand the trustworthiness of wireless 
systems in terms of the strength of the underlying encryption protocols. These 
systems use different encryption algorithms and different ciphers than EO. One 
could follow our steps to implement the cube-type attack, like modeling the 
encryption function of these systems, and then execute the preprocessing phase 
and online phase and observe how effective this attack may be. 
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APPENDIX A. ENCRYPTION FUNCTION OF E0 IN FULL 
EXPANSION 


From Equation (5.31), after doing the algebraic multiplication and addition, we 
end up with the detailed encryption function. We did not use any tool to gain the 
result, since the polynomial was not of high degree and the number of variables 


was manageable. 


O=a Gb Oc Od Ox, xa Px XpOXXCDxX AD 

XX, OX X,DOXX,C OXX,d OxXdA OX Hb OXXC OX O 

XA DAD OAK C OX Kd OXAA DX OX KC OAK O 

XA DX, AD OXAC BOX, Ad OXA Ky Ox,aPx,c Ox,d Ox,abOx,be Pxbd © 
xXaDx.c Ox.d Ox,abO x,bc Ox,bd Ox,aPx,cOx,d ®x,abOxbe@x,bd ® 
x,aPx,c Ox,d OBx,abPx,be Ox,bd Ox, Ox, Ox, Ox, B 

4%; OX, Ox x, Ox, OX; OX, Oxx, Ox,%, © 

XX; BX, BX, OUR, OX,X; Ox, %, Oxy, OX,%, O 

XX DOXX,bOXxX,bOXx~bOxX,xbDOxX,%bOx,X,bOx,xbO 

XX, BX,X,b B.x44,D Db DX,X,D OX, Xb Ox, XOXO 

HAN OX AX, ONAN ONAXy OAH BHAGNs OBAAGX, OH AHz OHA, OLAX, O 
XXX, DHX, DAH BAYA X, DH Hy DUH Ne DHA, OHA OBXXX, BX, OB 
Xjb@X yb Bx, bOx,bOx,x,cb Bx, x,cb Bx, cb Ox, x,cbO 

XX CD BD XX Cb B Xj9.X,CD Bx XCD Bx, .x<cb Bx, .%,Cb Ox, .x,cb Bx, ,x,cb® 

XpXsCD DX, .X CD BX, .X,CED DA XCD OD XC DAC DAAC OBAAC BD 

XXsC DX pC Ox gXjC DX X%yCOX, XC OX, COX, XC O™X, AC OX XC OX XC OX yHCOX ACD 
XKGXC DAAC DNC OX NC OANKC OAH HCO 

Ky XXCD XH XC DX pA XC BX p%oXjC OX yXcXyC OA yXAC DO 

Xj AsXC BX, XG AVC OX, -AHC OX, NHC OX XC OX, HCO 

XyXsXC OX HNC DHA HC OX NHC OB AoC BAA ACD 

Xp BAX OX Oxo 1 Ox o% 12 ON Xo © 

XoXo DAM oN OX oy BAX OAH A OHA Ns BH A OH A © 

HHH OHA py OYA pH, OHA py OAH OAH A Oxo 7 OX oki%s © 
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NX yX%s OX oXy%o OA y%pXq OX X%y%y OX AAs OA XX OH A py%y OX A i>%y O 

KX Xsl D XyX Xd D XyXjgXD D XyX yy Xe D AX, NSP O XGX, XD O XX XG B XX, XD O 
XyX XD D XyX Ng D XX yD OD Hyp D Ayo -AsD D Ayo X -X—D D Ayo GD D ApH Ah O 
XX pXsl O XX pb DX XX O Ny yXyy Ay) OH XyyXsP O XXX O XX iAP OX XyXHDO 
(XX yXsXo D AX oX5Xq DXA A5Xy OX yXoX7 D AX Noy O XX oA Hy O 

NX XgXo D Ny pXsXq DHX A Xy DX AoA O AGA Xz DXA Xy O 

NyXyXsXg D XX yXsXq O AX pAGXy DO AyXyyAoXy DO AyAyy Nog D XX iyA7Xy O 

XM XsXo DXi XH 5X7 D Ap XyAsXy D Ao % Noy D AoA AoXy DAH o% Ap %y O 

oMXsXip D XX XsXq7 D Nyy XyA5Xq O AMX oXq OX X XoXo O Ao%rH% O 

MrX5X%o DX X5Xq OX Ay pASXy OH XH yo OX AypXoXy OX %yX7Ay) © 

3 DXy OX Ox, Ox Xs OX 3% OX, OX 3% DX yXs OX yXo O XX OH O 

5X3 Oy 5X5 OH 5X, ON 5X OX 6Xs O XoXo O Xp Ay D Ny pXy OX XD OX 3X O 

3X7) DX, 3X%gb DX, 4X~D BX Xb B X44 B X4%D D X,.Xsb B x, XD D X,5x,b OX,.%bO 
6X3) D Xi gXoD D 647d D Xj oXgd DX 3XsXo Oy 3X5Xq O Ay X5Xq OX 3X OAs Xoky O37 O 
gX5Xp DX yX3Xy OAS Xy DX Xo OA yXoXg By, O 

5X3X OX 3X5Xy OX sXsXy OM 5X OM 5XGXy D X5X7%z O 

6XSX5 D XypX5Xq D Aig XsXy D XoXo D A pXoXy O Xo A O 

XsXgXqb D XX Xb D XX Xb O XX, Ad D XX OD XsX, OB xX OD 


La Eo IE 9 SI 9 SE 9 SE Eo So oo) 





Nek OX 6X OHA, Ox; Ox; Ox, Ox, 


Note: Glossary of EO keystream generator is provided in Appendix D. 
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APPENDIX B. MAPLE 12 


Working in the Maple 12 environment and after running the detailed 
program, we found twelve superpolys, including the unknown variables of the 
four LFSRs for two consecutive clock times. The program was executed several 
times for testing purposes on an Intel Pentium 4 processor with a CPU of 2.80 
GHz and 1 GB of RAM, and the results were produced in a mean time of 8.03 
seconds, consuming 5.25 MB of memory. 


The structure of the program is simple. Using methods prod2 and prod3, 
we take the integers that represent the variables of the encryption function and 
concatenate them to create products of variables. The part method takes as an 
input any product of variables and returns its remainder and the cofactor 
(superpoly). The ptab method stores the results in a table. Then we iterate 
through the table and output every unique linear, nonconstant co-factor and their 


corresponding products (maxterms). 


In order to run this program one has to open a new worksheet in the 
Maple 12 environment and copy every paragraph that starts with the symbol “ >” 
and ends with symbol “;” of the following Maple code along with its contents and 
paste it to the worksheet. Then he or she has to press symbol “/!/!” from the 
taskbar to compile the code and continually do this process up to the last line of 
code. Comments starting with the symbol “//” must not be entered in the 


worksheet as it will cause an error. 


MAPLE CODE 
// The encryption function of EO in Algebraic Normal Form in Maple syntax 


> anf := a+b+t+ca+td i+ X5*X6*a + X5*X6*b + X5*X6%*c + 
X5*X6*d + X5*X7*a + X5*X7*b + X5*X7%*c + X5*X7¥*d + X5*X8%*a + 
X5*X8*b + X5*XB%*c + X5*XB%*d + XO6*X7*a + XO6*X7T*D + XE6*X7T¥%*C + 
X6*X7*d + X6*X8%*a + X6*XB*b + X6*X8B%*C + X6*X8X*d + X7*XB%*a + 
X7*X8*b + X7*XB%*C + X7*X8%*d + X5*X6*X7*X8B + X5%*a + X5%*c + 
X5*d + X5*a*b + X5*b*c + X5*b*d + X6*a + X6%*c + X6*%*d + 
X6*a*b + X6*b*c + X6*b*d + X7*a + X7*cq + X7T*d + X7*a*b + 
X7*b*c + X7*b*d + X8%*a + X8B%*c + XB*d + X8B*a*b + XB*bD*c + 
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X8*b*d + X1 + X2 + X3 + X4 + X1*X5 + X1*X6 + X1*X7 + X1*X8 


+ X2*X5 + X2*X6 + X2*X7 + X2*X8 + X3*X5 + X3*X6 + X3*X7 
X3*X8 + X4*X5 + X4*X6 + X4*X7 + X4*X8 


+ 


+ X1*X5*b + X1*X6*b + X1*X7*b + X1*X8*b + X2*X5*b + X2*X6*b 
+ X2*X7*b + X2*X8*b + X3*X5*b + X3*X6*b + X3*X7*b + X3*X8*bD 


+ X4*X5*b + X4*X6*b + X4*X7*bD + X4*X8*D + X1*X5*X6 
X1*X5*X7 + X1*X5*X8 + X1*X6*X7 + X1*X6*X8B + X1*X7*X8B + 
X2*X5*X6 + X2*X5*X7 + X2*X5*X8B + X2*X6*X7T + X2*X6*X8B 
X2*X7*X8B + X3*X5*X6 + X3*X5*X7 + X3B*X5*X8B + X3*X6*X7 
X3*X6*X8 + X3*X7*X8 + X4*X5*X6 + X4*X5*X7 + X4*X5*X8B 
X4*X6*X7 + X4*X6*X8B + X4*X7*XB + X9*D + X10*b + X11*b 
X12*b + X9*X5*ca + XO*XE6%C + XO*XT*¥C + XO*XB*C + X10*X5%Xc 
X10*X6*c + X10*X7*c + X10*X8%*c + X11*X5*c + X11*X6*c 
X11*X7%*c + X11*X8*c + X12*X5%*c + X12*X6%*c + 

X12*X7*c + X12*X8%*c + XO9*X5*c*H + XO*XE6*%*c*H + XO*X7T*C*H 
X9*X8*c*%b + #£X10*X5*c*b + #£4x4X10*X6*c*b + #£xX10*X7*c*b 
X1O0*X8*c*b + X11*X5*c*%b + X11*X6*c*b + X11*X7*c*b 
X11*X8*c*b + X12*X5*c*b + £X12*X6*c*b + £X12*X7*c*b 
X12*X8*c*b + X9*X5*X6%*c + X9O*X5*X7%*C + X9O*X5*X8B%*c 
XO*¥X6*X7T*¥aq + XO9*XE6*XB%*C + XO*XT*XB%*C + X10*X5*X6%*c 
X10*X5*X7*c + X10*X5*X8%*c + X1LO*X6*X7*c + X1O*X6*XBX*c + 
X1LO*X7*X8%*caq + X11*X5*X6*%*c + X11*X5*X7*c + XK11*X5*X8%*c 
X11*X6*X7*c + X11*X6*X8*ca + X11*X7*X8%*c + X12*X5*X6%*c 
X12*X5*X7*c + X12*X5*X8*a + X12*X6*X7*c + X12*X6*X8Bxc 
X12*X7*X8%*c + X9*X10 + X9*X11 + X9*X12 + X10*X11 + 
X10*X12 + X11*X12 + X9*X10*X5 + X9*X10*X6 + X9*X10*X7 
X9*X10*X8 + X9*X11*X5 + X9*X11*X6 + X9*X11*X7 + X9*X11*X8 


+ 


tee ttt 


tee tet 


+++ 


+ 
+ 


X9*X12*X5 + X9*X12*X6 + X9*X12*X7 + X9*X12*X8 + X10*X11*X5 


+ X10*X11*X6 + X10*X11*X7 + X10*X11*X8 + X10*X12*X5 + 
X10*X12*X6 + X10*X12*X7 + X10*X12*X8 + X11*X12*X5 
X11*X12*X6 + X11*X12*X7 + X11*X12*X8 + X9*X10*X5*b 
X9*X10*X6*b + X9*X10*X7*b + X9*X10*X8*b + X9*X11*X5*b 
X9*X11*X6*b + X9*X11*X7*b + X9*X11*X8*b + X9*X12*X5*b + 
X9*X12*X6*b + X9*X12*X7*b + X9*X12*X8*b + X10*X11*X5*b 
X10*X11*X6*b + X10*X11*X7*b + X10*X11*X8*b + X10*X12*X5*b 


X10*X12*X6*b + X10*X12*X7*b + X10*X12*X8*b + X11*X12*X5*b 
X11*X12*X6*b + X11*X12*X7*b + X11*X12*X8*b + X9*X10*X5*X6 
X9*X10*X5*X7 + X9*X10*X5*X8 + X9*X1O*X6*X7 + X9*X10*XE6*X8B + 
X9*X10*X7*X8B + X9*X11*X5*X6 + X9*X11*X5*X7 + X9*X11*X5*X8 
X9*X11*X6*X7 + X9*X11*X6*X8 + X9*X11*X7*X8 + X9*X12*X5*X6 
X9O*X12*X5*X7 + X9*X12*X5*X8B + X9O*X12*X6*X7 + X9O*X12*X6*X8B 


X9*X12*X7*X8 + X10*X11*X5*xX6 + X10*X11*X5*X7 
X10*X11*X5*X8 + X10*X11*X6*X7 + X10*X11*X6*X8 
X10*X11*X7*X8 + X10*X12*X5*X6 + X10*X12*X5*X7 
X10*X12*X5*X8 + X10*X12*X6*X7 + X10*X12*X6*X8 + 
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+ 


+ + 


++ +4 


t++eeett 


X10*X12*X7*X8 + X11*X12*X5*X6 + X11*X12*X5*X7 + 
X11*X12*X5*X8 + X11*X12*X6*X7 + X11*X12*X6*X8 + 
X11*X12*X7*X8 + X13 + X14 + X15 + X16 + X13*X5 + X13*X6 + 
X13*X7 + X13*X8 + X14*X5 + X14*xX6 + X14*X7 + X14*x8 + 
X15*X5 + X15*X6 + X15*X7 + X15*xX8 + X16*X5 + X16*xX6 + 
X16*X7 + X16*X8 + X13*X5*b + X13*X6*b + X13*X7*b 

+ X13*X8*b + X14*X5*b + X14*X6*b + X14*X7*b + X14*X8*b + 
X15*X5*b + X15*X6*b + X15*X7*b + X15*X8*b + X16*X5*b + 
X16*X6*b + X16*X7*b + X16*X8*b + X13*X5*X6 + 

X13*X5*X7 + X13*X5*X8 + X13*X6*X7 + X13*X6*X8 + X13*X7*X8 + 
X14*X5*X6 + X14*X5*X7 + X14*X5*X8 + X14*X6*X7 + X14*X6*X8 + 
X14*X7*X8 + X15*X5*X6 + 

X15*X5*X7 + X15*X5*X8 + X15*X6*X7 + X15*X6*X8 + X15*X7*X8 + 
X16*X5*X6 + X16*X5*X7 + X16*X5*X8 + X16*X6*X7 + X16*X6*X8 
X16*X7*X8 + X5*X6*X7*b + X5*X6*X8*b + X5*X7*X8*b 
X6*X7*X8*b + X5*X6 + X5*X7 + X5*X8 + X6*X7 + X6*X8 + 

X7*X8 + X5 + X6 + X7 + X8; 


++ 


// prod2 & prod3 take integers and return a product of those X variables 
> prod2 := (n,m) -—> cat(X,n) * cat (X,m); 


> prod3 := (n,m,o) -—> cat(X,n) * cat(X,m) * cat (X,0); 


// parts takes a product p and returns a list of 2 parts: remainder and cofactor 








> parts := proc( p ) global anf; local 1, Zz, t; 
1 := coeffs( algsubs( p = z, anf ), z, ‘'t" ); 
if nops([l]) = 1 then [1,0]; 

else if t[1] = 1 then [ l ]; 

else [ 1[2], 1[1] ]; 








end if; end if; end proc; 


// set up table "ptab" of these parts, indexed by the integers 
> ptab := table(); 


> FOr 2 tO lS: (do for jj cErom 24l -to<L6-:do 
ptab[i,j] := parts( prod2(i,j) ) ; 

end do; end do; 

> for ito 14 do for j from itl to 15 do for k from j+1 to 
16 do 

ptab[i,j,k] := parts( prod3(i,j,k) ) ; 
end do; end do; end do; 

> degree (%); 

> degree (%) ; 

> for i in indices(ptab) do 

if ( degree( ptab[op(i)][2]) = 1 ) then 
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print (i) ;print (ptab[op(i)][2]);print (ptab[op(i)][1]); end 
if; end do; 

> whattype (indices (ptab) ); 

> linfac := select( i -> ( degree( ptab[op(i)][2]) = 1 ), 
[indices (ptab)] ): 

> nops(linfac); 


> ptab[op(linfac[1])][2]; 


2 SOrn.( | seq( ptablop(z)) [2]5. 2 am Lintac) ))7 





> linfacs := convert (%,set); 








> linfacs := convert(linfacs, list); 


> nops(linfacs) ; 

> for fac in linfacs do 

print (fac); 

for i in linfac do 

if ( ptab[op(i)][2] = fac ) then print(i); end if; 
end do; 

end do; 


Note: In order for one to add comments to the worksheet from the Insert menu of 
the taskbar, one has to select Paragraph, and then select Before Cursor or After 
Cursor. A new paragraph is inserted and the cursor is moved to the new blank 
line. From there, one can enter the paragraph. 
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APPENDIX C. PROGRAM OUTPUT 


Maple 12 works on Windows (2000, 2003, XP, Vista), Macintosh, UNIX, 
Linux and Solaris environments. The developers’ system recommendations 


include the following: 
» CPU: AMD X86_64/ 1 GHz/Intel Xeon/ Intel 64 
» RAM: 512MB (at least) 
« Hard disk: 1 GB 


The program outlined in Appendix B was executed on an Intel Pentium 4 
processor with a CPU of 2.80 GHz and 1 GB of RAM in a Windows XP 
environment. The output of the program is in the following paragraph where the 
linear term without any bracket represents the superpoly and the terms inside the 
brackets represent the corresponding index of the variables of the corresponding 


superpoly. For example, the superpoly x,®b has only one maxterm, x,x,.,, 
whereas the  superpolyx,®x,,®x,@c has as maxterms the terms 


XsX6Xio, X6X7X19, XsX7 X19 XoXyXio, AsXgXio X7AgXiq s 


OUTPUT 


AS eh 
[6, 7, 8] 
X6 + b 
[5, 7, 8] 
X7 + b 
[5, 6, 8] 
b+ X8 
[3,5,7 | 
Ali + X12 +X9 +e 


X11 + X12 +c + X10 
[7, 8, 9] 
[6, 8, 9] 
[55.2] 


[6, 7,9] 
[5, 7, 9] 
[5, 8, 9] 
X9 +c+ X10 + X11 
[5, 8, 12] 
[5, 6, 12] 
[3,312] 
[6, 8, 12] 
(7,8, 12] 
[6, 7, 12] 
c+ X10 + X12 + X9 
[6, 7, 11] 
[7, 8, 11] 
[6, 8, 11] 
[$3 11) 
(5,7, 11] 
[5,611] 
1+ X64+ X7+ X8+5 
[1,5] 
[s1h 12] 
[5, 16] 
[5, 9, 11] 
[5, 10, 11] 
[5, 13] 
[3, 5] 
[2,5] 
[5, 9, 12] 
[83] 
[5, 9, 10] 
[4,5] 

[5, 14] 
1+X%6 + X8 +b 4+ X5 
[7, 10, 12] 

[7, 16] 

[7, 9, 11] 

[7, 9, 12] 

[7, 9, 10] 

[7, 10, 11] 

[7, 11, 12] 

[7, 13] 
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[7, 15] 
[4,7] 
[2,7] 
[3,7] 
[7, 14] 
[1,7] 
15274 294-543 
[6, 10, 11] 
[1, 6] 
[6, 9, 12] 
[6, 11, 12] 
[6, 16] 
[6, 9, 10] 
[6, 15] 
(2, 6] 
[6, 13] 


[4, 6] 
(3, 6] 
[6, 14] 
[6, 10, 12] 
[6,9, 11] 
L+b+X5 + X6 + .X7 
[4,8] 
(3, 8] 
[8, 10, 12] 
[8,9, 11] 
[8, 16] 
(1, 8] 
[8, 9, 12] 
[8, 15] 
[8, 14] 
[8, 13] 
[8, 9, 10] 
[8, 10, 11] 
(11, 13] 


[2, 8] 
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APPENDIX D. GLOSSARY OF BLUETOOTH KEY STREAM 


GENERATOR E0 
We pn sali SEKI RAITT AR Mna Laan URNA AA RANE ENS RT LAR KG NEAR OR EKOAS Encryption Key 
COP. fost oe sees e Sei ro See eee ies ee Encryption Offset Number 
ORR eis seanebice Spdeawediek aocs dence aaeusvd rece aek docs Sonar boceserarsee etna: Bitwise OR 
DO RR aavcal exten iiaaleenGnasieatecian etna Cae asi eaansaa ses Bitwise Exclusive OR 
LSP Rivat estes or eeu tee eae eM as Linear Feedback Shift Register 
PSL os eigen tects aie Mee ale Joh atl che Mesa mad Master Clock Bits 
Mette Cae Ree iar Rake Output bit of the LFSR, at clock-time t 
4 
= EN, sa eeee ae: Summation outcome (integer) from the output bits of the 
i-1 


Zi ied nieh A ancatd Ash bececel tis, keystream bit produced by EO at clock-time ft 
aij scgsrentianeddsaiee Siwacke: keystream bit produced by EO at clock-time t+7 
Praiiesdiae Soc centeawaten ean keystream bit produced by EO at clock-time t+2 
2 potsnbesstl Sixt ieestesbecadndaet keystream bit produced by E0 at clock-time t+3 
Coa sea Aide cd det ed ddede berets d gah ain! Four Memory bits at clock-time t¢ 
ete ee eee Current two-bit block of Memory bit at clock-time ft 
Geer a ke a oe Two-bit block of Memory bits at clock-time t-7 
OS uaeeie aus Natt Soe te watts hcg ete te ee cats Two-bit sequence 
Ss suta tne atestees neces ene First bit of the two-bit sequence 


15 


tA erage pomannsaeinn Vion abana nagnenade eeu readd Second bit of the two-bit sequence 
HB iatet co First bit of the current two-bit block of Memory bits at clock time f¢ 


P: __....Second bit of the current two-bit block of Memory bits at clock time f 


Pte scutes First bit of the two-bit block of Memory bits at clock time t-1 
Le ere Second bit of the two-bit block of Memory bits at clock time t-1 
EY acon Gece ate the i-th elementary symmetric polynomial in x’ 


“i1%2>%3>%4_ The outputs of the 1°,...,4" LFSR at clock-time ¢ respectively. 


“s>“o-%7%8 The outputs of the 1%...,.4" LFSR at clock-time t+7 


respectively. 


“o>Mo-4i2 The outputs of the 1%4...,4 LFSR at clock-time t+2 


respectively. 


“i3-“ia-is>“i6 The outputs of the 1%...,4 LFSR at clock-time t+3 


respectively. 

lacs iospiaeasaastecots werden ouexiet paaeh keystream bit produced by E0 at clock-time ¢, z, 
Diacccude rAneeeeeak keystream bit produced by EO at clock-time t+7, z,,, 
Cte ieee see needle, keystream bit produced by E0 at clock-time t+2, z,,, 
(0 eee Re eer keystream bit produced by EO at clock-time [+3, z,,, 
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